Mistic is a newly identified backdoor used by the initial access broker KongTuke, active since at least 2024, to facilitate ransomware group intrusions. It is deployed through side-loading a malicious DLL (version.dll) by a legitimate executable (MpExtMs.exe), then loads the main backdoor (EndpointDlp.dll) and a .NET DLL that displays a fake login screen to harvest credentials. Mistic operates stealthily by executing code in memory without touching the disk and includes a kill switch to remove itself. It supports commands for file manipulation, adjusting C2 check intervals, executing code in memory, and self-termination. The malware is part of a complex infection chain involving other KongTuke tools and is designed for long-term, low-visibility access. Researchers from Symantec and Zscaler have analyzed Mistic, noting its ability to load Beacon Object Files (BOFs) to extend functionality. No specific infection vector details or patches have been disclosed.

Mistic enables attackers to maintain persistent, stealthy access to compromised networks, allowing them to manipulate files, execute arbitrary code in memory, and steal credentials. This facilitates further malicious activities, including ransomware deployment by associated threat groups. Its in-memory execution and self-deletion capabilities hinder detection and forensic analysis, increasing the risk of prolonged undetected intrusions in targeted sectors.

No official patch or remediation guidance is currently available. Organizations should monitor vendor advisories for updates. Given the stealthy nature of Mistic and its use of legitimate executables for side-loading, detection may require advanced behavioral and memory analysis techniques. Incident response teams should focus on identifying indicators of compromise provided by Symantec and Zscaler reports and consider enhancing defenses against DLL side-loading and credential phishing via fake login prompts.