New Backdoor May be Linked to Ransomware Access Broker
Essential information
- Published
- 24/06/2026 15:40
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- backdoor.mistic credential stealer d3f@ck loader gatekeeper initial access broker mintsloader modelorat nexshield qilin ransomware sideloading social-engineering
- Related entities
- 37 indicators, 28 observables, 1 intrusion sets (apt), 20 techniques (mitre), 6 malware
Description
A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an initial access broker associated with multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside ModeloRAT in at least one case, a tool developed by Woodgnat. The backdoor uses sideloading techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to ransomware affiliates, using various social-engineering techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.