Source linked

KongTuke's Mistic Backdoor Loads Cobalt Strike BOFs In Memory

bleepingcomputer.com@loyal_hedgehog3 hours ago·Cybersecurity·2 comments

Symantec and Zscaler track a new backdoor that uses Beacon Object Files for memory-only execution, delivered via ClickFix and side-loading to target insurance, education, and IT firms.

mistickongtukesymanteczscalerbackdoorinitial access broker

Mistic backdoor can load Beacon Object Files directly into memory, leaving no disk footprint and evading endpoint detection. That's the standout feature in a tool that Symantec and Zscaler both tie to initial access broker KongTuke.

ClickFix Delivers Mistic Via DLL Side-Loading

Infection begins with the legitimate MpExtMs.exe (a Microsoft Defender executable) side-loading a malicious version.dll. That DLL acts as the loader for Mistic (deployed as EndpointDlp.dll), a filename chosen to resemble Microsoft endpoint security tools. A second .NET DLL displays a fake login screen to steal credentials. Symantec says Mistic has been active since April, delivered in at least one incident right after KongTuke's older backdoor ModeloRAT.

Zscaler, tracking the same malware as MTLBackdoor, finds it delivered via a multi-stage ClickFix chain in May. KongTuke has used ClickFix variants since early 2025 to drop ModeloRAT. Both reports agree: the backdoor is designed for long-term, low-visibility access.

BOF Execution Gives Attackers Post-Exploitation Flexibility

"One of the most powerful features is the ability to load Beacon Object Files (BOFs) to expand its capabilities," Zscaler researchers write. BOFs are small C programs that run in the memory of a C2 process - standard in Cobalt Strike for post-exploitation. No files hit the disk. Mistic can also upload, download, move, rename, delete files, create folders, adjust command-check frequency, execute arbitrary code in memory, and terminate itself with a kill switch.

Symantec calls the self-deletion and memory-only execution features consistent with operators seeking persistent, stealthy footholds.

KongTuke Ties Mistic to Ransomware Ecosystem

KongTuke (also known as Woodgnat) has been active since at least 2024 as an initial access broker selling compromised network access to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The broker's toolset already includes WinPython, Node.js runtimes, finger.exe, a fake NexShield browser extension, the GateKeeper .NET payload, and loaders like MintsLoader and D3F@ck Loader. Mistic now joins that arsenal.

Both Symantec and Zscaler published indicators of compromise for Mistic/MTLBackdoor. Expect more custom, memory-only tools from access brokers feeding the ransomware supply chain.

Source: Stealthy Mistic backdoor linked to ransomware access broker KongTuke
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
SharkLoader Delivers Cobalt Strike via ProxyLogon and Openfire Exploits

Kaspersky uncovers a campaign targeting diplomatic and government entities in 10+ countries, using exploits for ProxyLogon, Openfire, and GeoServer to drop SharkLoader and Cobalt Strike Beacon.

RIFT-Bench Automates Red-Teaming Across 45 Agentic AI Architectures

RIFT-Bench uses a graph-based methodology to dynamically probe and score security vulnerabilities in autonomous LLM-powered systems, tested across 45 diverse implementations.

Linux Process Masquerading: Spoofing ps and top with 15 Lines of C

Attackers rewrite both /proc/pid/comm and /proc/pid/cmdline to impersonate a kernel worker-standard ps, top, and htop show the fake name, only eBPF tools like Kunai catch the real binary.

AutoPRAC Finds 34-Undetected-Activation Flaw in MOAT Rowhammer Defense

A new automated verification tool exposes a counter-reset bug in a leading DDR5 Rowhammer mitigation, letting attackers sneak 34 activations past the threshold.

Comments load interactively on the live page.