"Mistic" backdoor: signed-Defender DLL sideloading and in-memory tradecraft by access broker Woodgnat/KongTuke
From CTI Daily Brief — 2026-06-25 · published 2026-06-25 · view item permalink →
Symantec disclosed Backdoor.Mistic (also tracked as MLTBackdoor), deployed since April 2026 by initial-access broker Woodgnat (a.k.a. KongTuke) that sells footholds to ransomware affiliates including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta (Symantec, 2026-06-24 · SecurityWeek, 2026-06-24). Mistic achieves DLL sideloading via a digitally-signed Microsoft Defender executable (MpExtMs.exe) loading a malicious EndpointDlp.dll (T1574.002, T1036.005), so its activity reads as legitimate Defender behaviour to EDR. Per Symantec it also supports in-memory tradecraft and file manipulation/arbitrary code execution with a kill switch for stealth. Delivery uses ClickFix / FileFix / CrashFix lures (fake CAPTCHAs, browser-crash pages, Teams IT-helpdesk impersonation directing victims to run PowerShell).
Why it matters to us: The downstream affiliates are all active public-sector ransomware actors. Detection is precise: legitimate Defender DLPs load from %ProgramFiles%\Windows Defender\ under a Microsoft certificate — any EndpointDlp.dll loaded from a user-writable path or with a non-Microsoft signature is high-confidence (Sysmon EID 7). Pair with EID 1 parent-chains for PowerShell spawned by Teams/Office clients.