New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

A new backdoor, identified as Mistic and also known as MLTBackdoor, was deployed in financially motivated cyberattacks beginning in April 2026. These attacks targeted organizations across the insurance, education, IT, and professional services sectors. Security researchers from Symantec and Carbon Black's Threat Hunter Team have linked Mistic to an initial access broker (IAB) known as KongTuke. The Mistic backdoor is characterized by its stealthy nature and its use in campaigns that leverage the ClickFix and ModeloRAT malware families. Analysis indicates that Mistic employs sophisticated evasion techniques, including the use of legitimate Windows processes to masquerade its malicious activities. The attackers' primary objective appears to be financial gain, with evidence suggesting they aim to establish persistent access to victim networks for subsequent exploitation. The campaigns utilizing Mistic demonstrate a growing trend of IABs developing and deploying custom backdoors to facilitate their operations and maintain a competitive edge in the cybercrime landscape. The researchers' findings highlight the evolving tactics, techniques, and procedures (TTPs) employed by financially motivated threat actors.