Technical Analysis of MLTBackdoor

216.73.216.226

Technical Analysis of MLTBackdoor

· Published 09/06/2026 22:11 · Modified 10/06/2026 11:00

Essential information

Published: 09/06/2026 22:11
Modified: 10/06/2026 11:00
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: bof loader clickfix mltbackdoor obfuscation ransomware
Tags: 2026-06-09 bof loader clickfix mltbackdoor obfuscation ransomware
Related entities: 34 indicators, 34 observables, 19 techniques (mitre), 1 malware, 5 others

Description

In May 2026, a new malware family named MLTBackdoor was identified, likely leveraged by ransomware-related threat actors to establish footholds for lateral movement. Delivered through multi-stage ClickFix infection chains targeting automotive-related web pages, this backdoor employs sophisticated obfuscation techniques including Mixed Boolean-Arithmetic and Control Flow Flattening. MLTBackdoor features indirect system calls, API hashing, and extensive anti-analysis checks that detect debuggers and sandboxed environments. Its capabilities include filesystem operations and a powerful Beacon Object File loader that dynamically expands functionality. The malware uses custom encrypted binary protocols over TLS with Elliptic-Curve Diffie-Hellman key exchange for command-and-control communications. Additionally, it implements a deterministic date-based Domain Generation Algorithm to maintain persistence when hardcoded C2 domains become unreachable, demonstrating advanced resilience against takedown attempts.