Mistic backdoor linked to KongTuke access broker
๐ก๏ธ Broadcom, Symantec, and Carbon Black report a stealthy backdoor named Mistic (aka MLTBackdoor) deployed since April 2026 across insurance, education, IT, and professional services. The implant runs in memory via DLL side-loading of trusted tooling, includes a kill switch, and was dropped alongside ModeloRAT, a Python RAT tied to the KongTuke access broker. Analysts say the activity appears opportunistic and linked to ClickFix delivery chains and ransomware-related actors.
