A new in-memory backdoor named Mistic has been identified in intrusions carried out by KongTuke, a financially motivated initial access broker that sells network footholds to ransomware affiliates. Symantec researchers published their analysis on June 24, 2026, documenting Mistic intrusions across insurance, IT, education, and professional services organizations since at least April 2026.

KongTuke, also tracked as Woodgnat, has established access-sale relationships with ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The broker’s operational model mirrors the larger initial access broker ecosystem: gain persistent access, sell it, and let ransomware affiliates execute the final-stage attack. A Mistic detection on a network is therefore a signal not only that a broker has access, but that the compromised environment may already be listed for sale in criminal markets.

Mistic runs entirely in memory, writes nothing to disk, and includes a kill-switch for self-deletion. According to Symantec, the malware is deployed via DLL sideloading through a legitimate Microsoft binary as part of a multi-stage chain that begins with social engineering lures, often delivered through compromised websites or Microsoft Teams messages using ClickFix or FileFix prompts. Before the backdoor establishes command-and-control communications, a credential-harvesting module captures authentication material through a spoofed login screen. The combination of fileless execution and self-deletion means endpoint tools relying on file-based signatures will not catch a running Mistic infection; behavioral and memory-resident detection capabilities are required.

Defenders should monitor for MpExtMs.exe loading EndpointDlp.dll, suspicious version.dll behavior on endpoints, and Run-key entries mimicking remote management tools. At the network layer, watch for RC4-encrypted command-and-control traffic patterns and unexpected curl.exe exfiltration attempts. The IAB supply chain dynamics at play here are consistent with patterns seen in recent credential theft incidents: see LastPass Customer Data Exposed in Klue Supply Chain Attack.

Source: Symantec Threat Intelligence