New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns
Summary
A new, stealthy backdoor named Mistic (also tracked as MLTBackdoor) has been deployed in suspected financially motivated attacks since April 2026. These campaigns, linked to initial access broker KongTuke and associated with ClickFix and ModeloRAT operations, target organizations across insurance, education, IT, and professional services sectors.
IFF Assessment
The emergence and active deployment of a new, stealthy backdoor (Mistic) in financially motivated attacks pose a significant threat to organizations across multiple sectors.
Defender Context
Defenders should be aware of the Mistic backdoor and its tactics, techniques, and procedures (TTPs) used by threat actors in campaigns like ClickFix and ModeloRAT. Proactive threat hunting for indicators of compromise (IoCs) related to this backdoor and strengthening defenses against common initial access vectors exploited by financially motivated groups are crucial to mitigate risk.