Stealthy Mistic backdoor gives ransomware access broker KongTuke lasting footholds
Symantec and Zscaler detailed Mistic, a stealthy new Windows backdoor used in intrusions since April and tied to KongTuke, an initial access broker that sells footholds to ransomware crews including Qilin, Akira, and Rhysida. Mistic is side-loaded through a legitimate Microsoft executable and a malicious DLL named to mimic endpoint-security software, runs payloads only in memory with nothing written to disk, and includes a self-delete kill switch, all aimed at long-term, low-visibility access. It is delivered through social-engineering lures such as fake CAPTCHAs and Microsoft Teams help-desk pretexts that trick users into running PowerShell commands. Defenders should watch for the unusual DLL side-loading pattern.
- Check
- Hunt for the legitimate MpExtMs.exe process side-loading unexpected DLLs, in-memory-only payloads, and signs of paste-and-run PowerShell delivered through fake CAPTCHAs or Microsoft Teams help-desk messages.
- Affected
- Enterprises across insurance, education, IT, and professional services targeted by KongTuke; a quiet, in-memory backdoor establishes durable access that is later sold to ransomware affiliates for deployment.
- Fix
- Train users against paste-and-run and fake IT-support lures, restrict PowerShell and script execution, deploy behavioral detection for DLL side-loading and in-memory backdoors, and apply the published indicators of compromise.