Backdoor.Mistic: Woodgnat Access Broker Sells Network Entry to Ransomware Gangs

A relatively new backdoor that Symantec's Threat Hunter Team tracks as Backdoor.Mistic - and that Zscaler documented earlier this month as MLTBackdoor - has been deployed in multiple intrusions since April 2026. The malware is tied to a financially motivated initial access broker (IAB) publicly tracked as KongTuke, which Symantec tracks as Woodgnat. The group's job is not to deploy ransomware itself. It is to establish durable, high-level remote access inside an enterprise and sell that access to ransomware affiliates.

This is the part defenders tend to miss: the broker is upstream of the incident. By the time a ransomware payload appears, the access was already bought.

Who's buying

Woodgnat has been active since May 2024 and functions as a middleman feeding multiple ransomware operations, with reporting linking it to Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Symantec's Threat Hunter Team has directly observed the group's ModeloRAT used in attacks that delivered Qilin ransomware; Mistic was seen in one intrusion that also involved ModeloRAT. The targeting is opportunistic - schools, insurance firms, and IT-services providers - chosen for any foothold that can be monetized. The activity is being tracked by Broadcom's Symantec team, Carbon Black, Zscaler, and ThaiCERT.

The lure: paste-and-run social engineering

Woodgnat leans heavily on tricking ordinary employees into running commands themselves. The group hijacks legitimate WordPress sites to serve fake technical alerts. In an early-2026 variant Symantec calls CrashFix, the attackers deliberately freeze the victim's browser and display a message instructing them to copy and paste a "fix" command - the same paste-and-run pattern the group ran in 2025 under the names ClickFix and FileFix.

Since April 2026, they have added a direct channel: messaging staff on Microsoft Teams while posing as the company's internal IT helpdesk, walking them into executing malicious commands. Any unsolicited "IT support" contact that ends with "run this command" should be treated as hostile by default.

A backdoor built to leave no trace

Once a user takes the bait, a multi-stage PowerShell chain pulls down the malware and installs Backdoor.Mistic. The backdoor can manage files and display fake login screens to harvest credentials. For discovery and exfiltration, the operators lean on living-off-the-land binaries: Net.exe and Reg.exe to map the network, and Curl to move data out.

Mistic is engineered to evade endpoint defenses on several fronts. It uses DLL sideloading - abusing a trusted, signed Windows binary to load the malicious payload - so security tooling sees a legitimate process. It runs entirely in memory, writing no file to disk, which denies traditional antivirus a static target. And it ships with a kill switch that lets the operators have the malware delete itself instantly if they suspect detection.

Detection (Symantec)

Symantec/Broadcom flags this threat under, among others: file-based Backdoor.Mistic, Hacktool.Keylogger, Trojan.Gen.MBT, WS.Malware.1 and WS.Malware.2; behavior-based SONAR.SuspLoad!g74; adaptive ACM.Icacls-Lnch!g1 and ACM.Ps-Rd32!g1; and machine-learning Heur.AdvML.B / Heur.AdvML.C and related variants. Carbon Black customers should, at minimum, block all malware categories (Known, Suspect, PUP) from executing and enable delay-for-cloud-scan for full reputation coverage. Observed domains and IPs are covered under WebPulse security categories.

Why It Matters

Defenders focused only on the ransomware payload are watching the wrong layer. Initial access brokers like Woodgnat are now critical suppliers in the ransomware economy - specializing in finding, validating, and selling access - and their infrastructure tends to be more consistent across engagements than the downstream crews who buy from them. As Team Cymru's Josh Picolet put it, the access infrastructure is upstream of the incident, and visibility into how brokers route, reuse, and hand off access is what lets defenders disrupt before a ransomware operator ever enters the environment. Practically, that means hunting the precursors: paste-and-run lures, anomalous PowerShell spawned from a browser or Teams, unexpected DLL loads by signed binaries, and Net.exe / Reg.exe / Curl activity that doesn't fit the host baseline.