GoKawiilA new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors.
The malware is believed to be linked to KongTuke/Woodgnat, an initial access broker active since at least 2024 that specializes in compromising corporate networks and selling that access to ransomware groups, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Researchers at cybersecurity company Symantec say that Mistic has been used in intrusions since April.
In at least one incident, it was deployed shortly after ModeloRAT, a backdoor attributed to KongTuke and delivered via social engineering attacks over Microsoft Teams.
Symantec believes that Mistic is a newly developed, stealthy backdoor designed for long-term persistence in compromised networks.
Mistic attack chain
In the attacks investigated by Symantec, the infection started with the launch of the legitimate executable MpExtMs.exe to side-load a malicious DLL named version.dll, which acts as the loader of Mistic (EndpointDlp.dll).
The researchers note that the filename chosen for Mistic resembles Microsoft endpoint security tooling, which may help the malware blend in with trusted software on the host.
A separate .NET DLL is also loaded, which displays a fake login screen to the victim to steal their account credentials.
Once loaded, Mistic communicates with its command-and-control infrastructure and can receive commands from the operator. Symantec lists the following capabilities:
... continue reading