New Backdoor May be Linked to Ransomware Access Broker

A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an initial access broker associated with multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside ModeloRAT in at least one case, a tool developed by Woodgnat. The backdoor uses sideloading techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to ransomware affiliates, using various social-engineering techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.

Pulse ID: 6a3bde32e46aafdb90f9593b
Pulse Link: https://otx.alienvault.com/pulse/6a3bde32e46aafdb90f9593b
Pulse Author: AlienVault
Created: 2026-06-24 13:40:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#8Base #Akira #BackDoor #BlackBasta #CyberCrime #CyberSecurity #ELF #Education #InfoSec #Microsoft #OTX #OpenThreatExchange #RAT #RDP #RansomWare #Rhysida #SideLoading #Word #Wordpress #bot #AlienVault