A previously undocumented Windows backdoor is silently running inside corporate networks across the insurance, education, IT, and professional services sectors — and your endpoint security software is almost certainly blind to it. Broadcom’s Symantec and Carbon Black Threat Hunter Team disclosed the malware on June 24, 2026, naming it Mistic and linking it to KongTuke, a financially motivated initial access broker that has supplied enterprise network access to six of the most active ransomware operations on the planet: Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Mistic runs entirely in process memory without writing any file to disk, and it carries a built-in kill switch that lets its operators delete it on command, erasing all forensic evidence before investigators can arrive. That combination means traditional endpoint security — which scans files on storage devices — has no surface against which to detect it.
The backstory matters for understanding why this is a structural problem, not just a new malware name to add to a blocklist. KongTuke is not a ransomware gang. It is a criminal access brokerage: a group that breaks into corporate networks, establishes durable remote control, and then sells those footholds to ransomware affiliates on underground forums. The buyer gets a ready-made entry point. The broker gets paid. Symantec has linked KongTuke’s prior tooling to Qilin ransomware deployments, and Qilin alone has claimed more than 500 victims in 2026 — including healthcare systems, where a February 2026 attack on a key London National Health Service provider caused more than 170 cases of patient harm, including at least one patient death. Mistic is KongTuke’s newest and most sophisticated tool for establishing those footholds.
What KongTuke Actually Sells — and Why Mistic Makes It More Dangerous
KongTuke has operated since at least May 2024 under a half-dozen public tracking labels: 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat among them. The group’s business model is specialist: it does not deploy ransomware itself. Instead, it breaches enterprise environments, profiles the victim organization’s Active Directory footprint and network value, and lists the access for sale to ransomware affiliates. Symantec describes its targeting as “opportunistic” — KongTuke casts a wide net, and any organization in its path is a potential inventory item. Domain-joined Windows machines, which offer Active Directory access and lateral movement potential, receive the full treatment. The access broker operates like an industrial supplier, keeping footholds in stock.
Mistic raises that threat level because it gives KongTuke a persistence mechanism that is far harder to detect and remove than what came before. According to the Symantec and Carbon Black report, the backdoor runs payloads in memory with no file written to disk. Its kill switch lets operators delete the backdoor itself when needed, eliminating the artifact that forensic investigators would look for. Zscaler ThreatLabz, which first documented the malware in June 2026 under the name MLTBackdoor, confirmed in a technical analysis that approximately 95% of the backdoor’s code consists of junk mathematical operations inserted purely to confuse automated analysis tools. The actual malicious logic is buried inside that noise.
How Mistic Gets Past Windows Security: DLL Sideloading and a Defender Disguise
Mistic reaches its target through a technique called DLL sideloading — a method that exploits how Windows applications search for supporting code files, known as dynamic link libraries. The attacker places a malicious DLL in a location the target application expects to find a legitimate one. When Windows runs the legitimate app, it inadvertently loads the attacker’s code instead.
What makes Mistic’s implementation particularly effective is its choice of carrier. In the intrusions Symantec investigated, the infection began with the launch of MpExtMs.exe — a digitally signed, legitimate file that belongs to Microsoft Defender, the built-in Windows security software. A loader named version.dll intercepts two Windows functions, GetModuleFileNameW and LoadLibraryW, to ensure the process looks legitimate while forcing it to load a malicious DLL named EndpointDlp.dll — a name directly associated with Microsoft endpoint data loss prevention tooling. The process shows up in Windows process lists as a signed Microsoft security component. Security tools that check process signatures see exactly what the attacker wants them to see.
Once loaded into memory, Mistic supports standard remote access capabilities: file upload and download, file deletion and renaming, folder creation, and remote code execution. It adjusts its check-in frequency with its command-and-control server dynamically. A separate .NET DLL deployed alongside it in at least one confirmed intrusion displayed a fake Windows login screen to harvest user credentials.
The Technical Architecture Defenders Need to Understand
Zscaler’s full technical analysis reveals an evasion stack that goes considerably deeper than the sideloading entry point, and understanding each layer is necessary for building effective detection.
The backdoor communicates with its operators over TLS on port 443 — standard encrypted web traffic — using a custom binary protocol. Its user-agent string, Microsoft-Delivery-Optimization/10.1, is designed to look like routine Windows telemetry. The communication path is /api/v1/telemetry. To a network monitoring tool, that traffic looks like a Windows system checking in for updates.
The encryption protecting those communications uses an elliptic-curve Diffie-Hellman key exchange on the NIST P-256 curve. Each session generates a new key pair. The resulting shared secret, combined with a SHA-256 hash, produces an AES-256-GCM session key. Each packet includes a random 12-byte nonce. Without access to the private key material — regenerated fresh for each session — network-level decryption is not feasible.
To avoid losing contact if its hardcoded command-and-control domains are taken down, the backdoor includes a domain generation algorithm. The DGA is date-seeded: it calculates a new domain name each day using a deterministic mathematical function, meaning the attacker’s infrastructure rotates daily. A blocklist updated yesterday is already one domain behind today’s communication channel.
To defeat endpoint detection and response tools — which work by hooking Windows API calls and watching for suspicious behavior — the backdoor uses a technique researchers call Hell’s Gate. Rather than calling Windows system functions through the standard API path that EDR products monitor, Mistic walks through ntdll.dll at startup, reads the system call numbers directly from the Windows kernel interface, and invokes those calls using CPU instructions that bypass the monitoring layer entirely. The EDR tool’s hooks never receive the call. Zscaler confirmed Mistic builds a runtime table of 31 kernel system call targets using this method.
Before reporting to its operators, the backdoor runs ten distinct anti-analysis checks. It examines whether it is running inside a virtual machine or sandbox by probing for VMware, VirtualBox, Xen, and KVM hypervisor signatures. It measures CPU timing to detect emulation. It checks for active debuggers and looks for the running processes of specific analysis tools — cross-referencing them against a hardcoded list of SHA-256 hashes — including x64dbg, Wireshark, IDA Pro, and Process Monitor. It checks available RAM and CPU count to identify analysis environments that under-provision hardware. The results of all ten checks are combined into a bitmask sent to the operator’s server alongside the initial check-in, giving the attacker a precise picture of whether the victim endpoint is a real corporate machine or a researcher’s sandbox.
The backdoor’s most significant capability expansion comes from its built-in loader for Beacon Object Files, or BOFs. Originally developed for the Cobalt Strike penetration testing framework, BOFs are small compiled programs that execute as position-independent code directly inside a running process — no new processes, no files written to disk. Mistic’s BOF loader is compatible with the standard Cobalt Strike BOF format and includes 19 additional wrappers that route file system and registry operations through its own Hell’s Gate indirect system call wrappers, maintaining EDR evasion even during post-exploitation tasks. An operator who wants to add new capabilities to an already-deployed Mistic implant can deliver them as BOFs at runtime — entirely in memory, leaving no trace on the endpoint.
ClickFix, CrashFix, and Fake IT Helpdesk: How KongTuke Gets In
Mistic’s technical sophistication does not do any work until an employee hands the attacker their first foothold. KongTuke uses social engineering to manufacture that foothold, and has steadily refined its delivery methods since at least early 2025.
The group operates a traffic distribution system built on compromised WordPress sites. JavaScript injected into those sites profiles each visitor and serves tailored lures. The earliest variant, known as ClickFix, displayed fake browser error messages or CAPTCHA challenges instructing the visitor to paste a PowerShell command into the Windows Run dialog to “fix” the problem. The mid-2025 FileFix variant moved that instruction into the Windows File Explorer address bar. The early 2026 variant, CrashFix, was discovered by security firm Huntress in January 2026: it uses a malicious browser extension disguised as the legitimate ad blocker uBlock Origin Lite to deliberately crash the victim’s browser, then presents a fake repair prompt. Following the crash, a message instructs the user to run a command to restore functionality. Security researchers Anna Pham, Tanner Filip, and Dani Lopez at Huntress confirmed that CrashFix deployed ModeloRAT, KongTuke’s Python-based remote access trojan, exclusively on domain-joined corporate machines — prioritizing enterprise environments with Active Directory access.
Since April 2026, KongTuke has added a more direct approach: fake IT helpdesk scenarios delivered through Microsoft Teams. Attackers contact employees via external Teams chat messages, impersonate support staff, and walk them through a paste-and-run sequence. Security firms Rapid7 and ReliaQuest independently confirmed this vector. In documented cases, KongTuke rotated through multiple Microsoft 365 tenants over extended periods to stay ahead of reactive blocking, achieving persistent access within minutes of a victim complying with the instructions.
The two tools are often deployed together. In at least one confirmed intrusion documented by Symantec, Mistic was deployed in close proximity to ModeloRAT. ModeloRAT — a Python-based trojan that uses RC4 encryption for command-and-control communications, runs via a signed Python interpreter, and persists through Registry entries that mimic legitimate software names like “Spotify47” or “Adobe2841” — serves as the initial foothold. Mistic then deepens it. Symantec’s Threat Hunter Team has directly observed ModeloRAT used in attacks that culminated in Qilin ransomware deployment.
Why File-Based Endpoint Security Cannot Catch Mistic
The structural implication of Mistic’s design is not that it is one more malware sample to detect. It is that the combination of IAB specialization and in-memory backdoors breaks the two-stage defense model that most enterprise security programs rely on.
The traditional model has two components. First, perimeter security and email filtering stop initial access. Second, if something gets through, endpoint software scanning files on disk catches the malware before it establishes persistence. Mistic’s entire design is oriented around the second stage: because it executes payloads entirely in memory and writes nothing to disk, there is no file for endpoint software to scan. Because it can delete itself on command, there is no artifact left to discover during incident response. Because it uses Hell’s Gate indirect syscalls, it bypasses the API hooks that behavioral EDR tools use to observe process behavior. And because it runs inside a signed Microsoft process, it looks legitimate to every tool that checks process provenance.
This matters specifically because KongTuke’s targeting is explicitly opportunistic. Any organization — in any sector, at any size — with a Windows environment is a potential inventory item in KongTuke’s access brokerage. The group does not need to target you specifically. It needs to find you reachable, assess your network’s resale value, and sell the access.
No law enforcement action has yet disrupted KongTuke. Unlike SocGholish, which was taken down in a June 2026 Operation Endgame action, KongTuke remains fully operational as of this writing.
What Security Teams Should Do Right Now
Broadcom and Zscaler have published indicators of compromise for Mistic and MLTBackdoor respectively. Security teams should incorporate those IOCs into detection tooling immediately. Because the backdoor leaves no disk artifacts, detection requires a shift in approach.
Memory-based detection via endpoint detection and response tools capable of scanning process memory — not just file systems — is the primary technical defense. Specifically, security teams should monitor for MpExtMs.exe loading unexpected DLLs, particularly any DLL named EndpointDlp.dll or version.dll that appears in an unexpected directory. Processes communicating on port 443 with a Microsoft-Delivery-Optimization user-agent to non-Microsoft IP addresses or domains should trigger investigation.
Behavioral monitoring for the ClickFix and CrashFix delivery chain is the second line of defense. PowerShell commands spawned from browser processes, curl downloads initiated from Windows Run dialog execution, and the presence of portable Python environments in unusual directories are all indicators KongTuke has used consistently. Blocking external Microsoft Teams messages from unverified tenants — where business operations allow it — removes the most recently added delivery vector. User awareness training specifically covering fake IT helpdesk scenarios delivered over Teams is now as important as phishing awareness.
The DGA means that blocklisting current KongTuke command-and-control domains provides only single-day protection. The domain changes daily. Detection must be based on behavior, not addresses.
Frequently Asked Questions
What is an initial access broker, and why is KongTuke particularly dangerous?
An initial access broker is a cybercriminal group that specializes in breaking into corporate networks and selling that access to other criminals — typically ransomware gangs — rather than deploying ransomware themselves. KongTuke is particularly dangerous because it has supplied enterprise network access to six of the most active ransomware operations currently working: Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. That means a single successful KongTuke intrusion can eventually result in any of those groups encrypting the victim’s systems and demanding a ransom. Qilin alone claimed more than 500 victims in 2026 and has been directly linked to patient harm in hospital attacks.
How does ClickFix malware infect corporate networks, and how do I protect against it?
ClickFix is a social engineering technique where attackers compromise legitimate websites — typically WordPress-based small business sites — and inject JavaScript that displays fake browser errors, broken CAPTCHA prompts, or other messages instructing visitors to paste a command into Windows and run it. The command installs malware. KongTuke has evolved this approach into CrashFix, which deliberately crashes the browser first, and since April 2026, into fake IT helpdesk scenarios delivered via Microsoft Teams external messages. Protection requires user awareness training that covers paste-and-run social engineering specifically, blocking external Teams messages from unverified tenants, and monitoring for PowerShell processes spawned from browser or Run dialog execution.
Why can my endpoint security software miss fileless malware like Mistic?
Most traditional endpoint security software works by scanning files stored on a device’s hard drive or SSD, matching their contents against a database of known malicious signatures. Fileless malware like Mistic never writes executable code to storage — it loads directly into process memory and runs there. There is no file to scan. Mistic also uses a technique called Hell’s Gate to bypass the behavioral monitoring hooks that more advanced endpoint detection and response tools rely on, and its self-delete kill switch means it can remove itself before an investigator arrives. Effective defense against Mistic requires EDR tools capable of scanning process memory directly and monitoring for behavioral indicators — what processes are doing — rather than what files are present.
What is the larger significance of a ransomware access broker developing custom in-memory malware?
Until recently, most ransomware-related intrusions relied on living off the land — using legitimate Windows tools like PowerShell, certutil, and WMIC rather than custom malware, which is more likely to trigger detection. Both Symantec and CSO Online note that Mistic represents a shift: access brokers and ransomware groups are increasingly developing sophisticated custom tools. The significance is that organizations which rely on detecting known malware signatures are falling further behind. A custom, freshly developed backdoor like Mistic has no prior detection signature. Combined with its in-memory execution and self-erase capability, it can persist in a network for an extended period before any alert fires — and when it is finally detected, the forensic record it would have left is already gone.
