216.73.217.172

New Backdoor May be Linked to Ransomware Access Broker

· Published 24/06/2026 15:40

Export JSON

Essential information

Published
24/06/2026 15:40
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
backdoor.mistic credential stealer d3f@ck loader gatekeeper initial access broker mintsloader modelorat nexshield qilin ransomware sideloading social-engineering
Related entities
37 indicators, 28 observables, 1 intrusion sets (apt), 20 techniques (mitre), 6 malware

Description

A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an associated with multiple operations including , Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside in at least one case, a tool developed by Woodgnat. The backdoor uses techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to affiliates, using various techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.

External references