Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

Backdoor.Mistic

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
KongTuke

Backdoor.Mistic is a new, stealthy backdoor that has been used in cybercrime intrusions since April 2026. Mistic was in one case deployed in close proximity to ModeloRAT... The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself.

via symantec blogsecurity.com
Woodgnat

Backdoor.Mistic is a new, stealthy backdoor that has been used in cybercrime intrusions since April 2026. Mistic was in one case deployed in close proximity to ModeloRAT... The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself.

via symantec blogsecurity.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

4 techniques
T1059Command and Scripting InterpreterEvidence1

Mistic provides attackers with typical capabilities, including ... code execution.

T1059.001PowerShellEvidence1

In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command... Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment and launches the ModeloRAT Python scripts.

T1204User ExecutionEvidence1

ClickFix... trick users into pasting malicious scripts into the Windows Run dialog... FileFix... trick users into manually pasting and executing malicious commands directly inside the Windows File Explorer address bar... CrashFix... trick them into manually executing code... In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command.

T1574.001DLLEvidence1

A loader (version.dll) hooks GetModuleFileNameW and LoadLibraryW. The GetModuleFileNameW hook makes sure that the path mpextms.exe is pointed to the legitimate location of mpextms.exe. The LoadLibraryW hook makes sure it loads the malicious EndpointDlp.dll, which is Backdoor.Mistic.

Stealth

3 techniques
T1036MasqueradingEvidence1

loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software... Persistence is established through several redundant mechanisms, including Run-key entries that masquerade as legitimate remote-access software, using names such as AnyDesk, Splashtop and Comms.

T1574.001DLLEvidence1

A loader (version.dll) hooks GetModuleFileNameW and LoadLibraryW. The GetModuleFileNameW hook makes sure that the path mpextms.exe is pointed to the legitimate location of mpextms.exe. The LoadLibraryW hook makes sure it loads the malicious EndpointDlp.dll, which is Backdoor.Mistic.

T1620Reflective Code LoadingEvidence1

The backdoor can run remote payloads directly in memory... Execute code from C2 in memory (no file saved on the disk).

Credential Access

1 technique
T1056Input CaptureEvidence1

A .NET DLL is also loaded on the victim network. This is a credential stealer that displays a fake login screen.

Collection

1 technique
T1056Input CaptureEvidence1

A .NET DLL is also loaded on the victim network. This is a credential stealer that displays a fake login screen.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

Mistic provides attackers with typical capabilities, including file download and upload... Additional tools observed in the intrusion include ... Certutil ... for ... file download...

INDICATORS OF COMPROMISE

IOCs tracked for this family

37 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
29 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
7 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching37

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.