New Backdoor May be Linked to Ransomware Access Broker
A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an initial access broker associated with multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside ModeloRAT in at least one case, a tool developed by Woodgnat. The backdoor uses sideloading techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to ransomware affiliates, using various social-engineering techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.
AI Analysis
Technical Summary
Mistic is a newly identified backdoor malware deployed since April 2026, potentially linked to Woodgnat, an initial access broker that provides persistent enterprise access to ransomware affiliates. Mistic employs sideloading techniques leveraging legitimate Microsoft files to load and execute payloads entirely in memory, avoiding disk artifacts. It includes standard backdoor functionalities and a self-delete kill switch to evade detection. In at least one incident, Mistic was deployed alongside ModeloRAT, a tool developed by Woodgnat. The threat actor Woodgnat uses social engineering lures such as ClickFix, FileFix, and CrashFix, delivered through compromised WordPress sites, to gain initial access. The targeting appears opportunistic and spans multiple sectors including insurance, education, IT, and professional services. This activity supports ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Potential Impact
Mistic enables stealthy, persistent remote access within compromised enterprises, facilitating follow-on ransomware attacks by affiliates of the Woodgnat initial access broker. Its in-memory execution and self-delete kill switch reduce detection likelihood, increasing the risk of prolonged undetected access. The opportunistic targeting across multiple sectors broadens potential impact. While no known exploits or CVEs are associated, the presence of this backdoor supports ransomware campaigns with significant operational and financial consequences for victims.
Mitigation Recommendations
No official patch or remediation is available for Mistic as it is malware rather than a software vulnerability. Detection and response should focus on identifying sideloading behavior of legitimate Microsoft files, in-memory payload execution, and indicators of compromise related to Woodgnat and ModeloRAT. Organizations should monitor for social engineering lures delivered via compromised WordPress sites and implement controls to reduce initial access risks. Incident response should include eradication of persistent backdoor access and credential resets. Since this is not a cloud service, remediation depends on endpoint and network security measures.
Indicators of Compromise
- domain: mail.authorized-logins.net
- domain: mueleer.com
- domain: grande-luna.top
- domain: oeannon.com
- domain: thomphon.com
- domain: human-check.top
- domain: update.update-fall.com
- hash: 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be
- domain: cwrtwright.com
- domain: carrolc.com
- hash: fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a
- hash: 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712
- domain: w3xasv14culvnqj.top
- hash: afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c
- hash: 347a3f5f2ed2f503a22f68c4951c78c7
- hash: 6b8ec32dc76fa3138f00616156962f4f
- hash: deb10789274bf903060d700b3472fdf094a14763
- hash: fd8e880cc32377af08327c9d187f6220c6ac449f
- hash: b148626849c11dd5b3230632a38a6302
- hash: e5c4e634b2f443f783cae1b5e8247a1069df0c9f
- hash: 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984
- hash: dc96668d007df0a545bf1334e10e80fa
- hash: 48d4872e8463d1ede1b93e3f6a6a8cc8c2cecde3
- hash: 34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc
- hash: 8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235
- hash: db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5
- hash: f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e
- ip: 144.31.53.78
- ip: 198.13.159.44
- ip: 199.91.221.42
- url: http://thomphon.com/update.msi
- domain: authorized-logins.net
- domain: b6w9m2z5x8q1v3k.top
- domain: rotoa-upda-lo.com
- domain: sql-updater-service.com
- domain: upd-domain-goloro.com
- domain: updater-worelos.com
- domain: upscale-kolo.com
- domain: defs.updater-worelos.com
- domain: ftps.upd-domain-goloro.com
- domain: mailes.upd-domain-goloro.com
- domain: mails.updater-worelos.com
- domain: nano.upscale-kolo.com
- domain: php.authorized-logins.net
- domain: sss.authorized-logins.net
New Backdoor May be Linked to Ransomware Access Broker
Description
A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an initial access broker associated with multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside ModeloRAT in at least one case, a tool developed by Woodgnat. The backdoor uses sideloading techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to ransomware affiliates, using various social-engineering techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mistic is a newly identified backdoor malware deployed since April 2026, potentially linked to Woodgnat, an initial access broker that provides persistent enterprise access to ransomware affiliates. Mistic employs sideloading techniques leveraging legitimate Microsoft files to load and execute payloads entirely in memory, avoiding disk artifacts. It includes standard backdoor functionalities and a self-delete kill switch to evade detection. In at least one incident, Mistic was deployed alongside ModeloRAT, a tool developed by Woodgnat. The threat actor Woodgnat uses social engineering lures such as ClickFix, FileFix, and CrashFix, delivered through compromised WordPress sites, to gain initial access. The targeting appears opportunistic and spans multiple sectors including insurance, education, IT, and professional services. This activity supports ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Potential Impact
Mistic enables stealthy, persistent remote access within compromised enterprises, facilitating follow-on ransomware attacks by affiliates of the Woodgnat initial access broker. Its in-memory execution and self-delete kill switch reduce detection likelihood, increasing the risk of prolonged undetected access. The opportunistic targeting across multiple sectors broadens potential impact. While no known exploits or CVEs are associated, the presence of this backdoor supports ransomware campaigns with significant operational and financial consequences for victims.
Mitigation Recommendations
No official patch or remediation is available for Mistic as it is malware rather than a software vulnerability. Detection and response should focus on identifying sideloading behavior of legitimate Microsoft files, in-memory payload execution, and indicators of compromise related to Woodgnat and ModeloRAT. Organizations should monitor for social engineering lures delivered via compromised WordPress sites and implement controls to reduce initial access risks. Incident response should include eradication of persistent backdoor access and credential resets. Since this is not a cloud service, remediation depends on endpoint and network security measures.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat"]
- Adversary
- Woodgnat
- Pulse Id
- 6a3bde32e46aafdb90f9593b
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainmail.authorized-logins.net | — | |
domainmueleer.com | — | |
domaingrande-luna.top | — | |
domainoeannon.com | — | |
domainthomphon.com | — | |
domainhuman-check.top | — | |
domainupdate.update-fall.com | — | |
domaincwrtwright.com | — | |
domaincarrolc.com | — | |
domainw3xasv14culvnqj.top | — | |
domainauthorized-logins.net | — | |
domainb6w9m2z5x8q1v3k.top | — | |
domainrotoa-upda-lo.com | — | |
domainsql-updater-service.com | — | |
domainupd-domain-goloro.com | — | |
domainupdater-worelos.com | — | |
domainupscale-kolo.com | — | |
domaindefs.updater-worelos.com | — | |
domainftps.upd-domain-goloro.com | — | |
domainmailes.upd-domain-goloro.com | — | |
domainmails.updater-worelos.com | — | |
domainnano.upscale-kolo.com | — | |
domainphp.authorized-logins.net | — | |
domainsss.authorized-logins.net | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be | — | |
hashfb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a | — | |
hash59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 | — | |
hashafd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c | — | |
hash347a3f5f2ed2f503a22f68c4951c78c7 | — | |
hash6b8ec32dc76fa3138f00616156962f4f | — | |
hashdeb10789274bf903060d700b3472fdf094a14763 | — | |
hashfd8e880cc32377af08327c9d187f6220c6ac449f | — | |
hashb148626849c11dd5b3230632a38a6302 | — | |
hashe5c4e634b2f443f783cae1b5e8247a1069df0c9f | — | |
hash1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 | — | |
hashdc96668d007df0a545bf1334e10e80fa | — | |
hash48d4872e8463d1ede1b93e3f6a6a8cc8c2cecde3 | — | |
hash34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc | — | |
hash8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235 | — | |
hashdb972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 | — | |
hashf591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip144.31.53.78 | — | |
ip198.13.159.44 | — | |
ip199.91.221.42 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://thomphon.com/update.msi | — |
Threat ID: 6a3c1d4aeed863c81e3e4800
Added to database: 06/24/2026, 18:09:14 UTC
Last enriched: 06/24/2026, 18:20:59 UTC
Last updated: 06/24/2026, 18:25:49 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.