preloader

· cybersecurity ransomware malware digital-security devops enterprise

Mistic: The Self-Destructing Fileless Backdoor Selling Enterprise Access to Ransomware Gangs

Source: BleepingComputer / The Register / Help Net Security / Symantec / Zscaler

Cybersecurity researchers at Symantec and Zscaler disclosed on June 25, 2026 a newly identified backdoor named Mistic that has been active in targeted intrusions since at least April. The malware is operated by KongTuke, also tracked as Woodgnat, an initial access broker that specialises in compromising corporate networks and auctioning persistent access to ransomware crews.

What makes Mistic different

Most malware families write artefacts to disk during execution. Mistic does not. The backdoor runs its payloads entirely in memory, and it carries a kill switch that allows the operator to trigger self-deletion at any point during or after an intrusion. Symantec warned that this design makes Mistic largely invisible to traditional file-based endpoint detection tools.

Security teams relying on signature scanning of file system artefacts will not catch it. The self-destructing capability also means that by the time an organisation begins forensic investigation, the malware may have already erased itself from the affected host, leaving minimal indicators for incident response teams to work from.

Mistic also supports loading Beacon Object Files (BOFs), allowing operators to extend the backdoor’s capabilities at runtime without deploying additional executables. This gives KongTuke and its clients a high degree of operational flexibility once inside a network.

Who is being targeted

Mistic has been observed in intrusions against organisations in insurance, education, IT, and professional services. These sectors are consistent with KongTuke’s business model: high-value corporate networks with sensitive data and the financial capacity to pay large ransoms.

KongTuke does not conduct ransomware attacks itself. It sells the access. Ransomware groups documented as purchasing access from KongTuke include Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The presence of Mistic on a network is therefore not a contained threat. It is an early indicator that a ransomware group has, or shortly will have, an operational foothold.

How it gets in

Zscaler observed Mistic being delivered via ClickFix infection chains, a social engineering technique where users are deceived into running malicious commands under the guise of fixing a browser or software error. In separate confirmed cases, Mistic was deployed shortly after ModeloRAT, another KongTuke backdoor delivered through Microsoft Teams messages impersonating internal IT support staff.

Both delivery mechanisms exploit trust rather than technical vulnerabilities in software. Users trust browser prompts that resemble legitimate error dialogs. Employees trust Teams messages from accounts that appear to belong to internal colleagues or helpdesk personnel. Neither method requires a traditional software exploit.

Why standard defences fall short

The combination of fileless execution and self-deletion creates a detection gap for organisations that depend on:

  • Antivirus and endpoint detection tools that scan file system artefacts
  • Log analysis that does not extend to in-memory process behaviour and injection patterns
  • Email and messaging gateways that inspect attachments but not the social engineering context of inbound messages
  • Incident response processes that assume malware artefacts will persist long enough to be collected

Catching Mistic requires behavioural detection focused on process injection, in-memory code execution, anomalous outbound command-and-control connections, and lateral movement patterns. It also requires prompt investigation of early indicators before the kill switch is triggered.

Practical steps for organisations

Organisations in the targeted sectors should assess whether their current endpoint security performs behavioural detection rather than relying primarily on file signatures. Reviewing how Microsoft Teams external message permissions are configured, and whether employees understand and can identify ClickFix-style social engineering, is a practical near-term step.

Detection of threats like Mistic requires a layered approach: network traffic analysis to catch command-and-control beaconing, endpoint behavioural monitoring to catch in-memory execution, and Teams security policies that limit what external senders can do.

If your organisation wants an independent assessment of its detection coverage against modern fileless threats, needs a review of its endpoint and network monitoring architecture, or is evaluating its Microsoft Teams security configuration, contact Excello Digital. We help organisations identify the detection gaps that access brokers like KongTuke exploit, and put in place the monitoring capabilities needed to catch intrusions before ransomware is deployed.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!