{
  "name": "Technical Analysis of MLTBackdoor",
  "slug": "technical-analysis-of-mltbackdoor",
  "description": "In May 2026, a new malware family named MLTBackdoor was identified, likely leveraged by ransomware-related threat actors to establish footholds for lateral movement. Delivered through multi-stage ClickFix infection chains targeting automotive-related web pages, this backdoor employs sophisticated obfuscation techniques including Mixed Boolean-Arithmetic and Control Flow Flattening. MLTBackdoor features indirect system calls, API hashing, and extensive anti-analysis checks that detect debuggers and sandboxed environments. Its capabilities include filesystem operations and a powerful Beacon Object File loader that dynamically expands functionality. The malware uses custom encrypted binary protocols over TLS with Elliptic-Curve Diffie-Hellman key exchange for command-and-control communications. Additionally, it implements a deterministic date-based Domain Generation Algorithm to maintain persistence when hardcoded C2 domains become unreachable, demonstrating advanced resilience against takedown attempts.",
  "published": "2026-06-09T20:11:50.115000+00:00",
  "created_at": "2026-06-10T11:00:30.115000+00:00",
  "modified_at": "2026-06-10T09:00:30+00:00",
  "created_at_opencti": "2026-06-10T11:00:30.115000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "bof loader",
    "clickfix",
    "mltbackdoor",
    "obfuscation",
    "ransomware"
  ],
  "tags": [
    "2026-06-09",
    "bof loader",
    "clickfix",
    "mltbackdoor",
    "obfuscation",
    "ransomware"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "c03e200c-ee02-4893-99fe-bd3c4582883c",
        "name": "9e8777661a1ad9c983f03060f0a04a3244daac8c3639b3eb1bbce29355bc6c10"
      },
      {
        "id": "34091aa0-1a27-4025-95a7-37be1c9fb77a",
        "name": "ac66c2d47cdefb221822b9074c9810434e8da702a0694139aa9177557e6b292b"
      },
      {
        "id": "e01baf59-9ead-47af-8331-912eddf8352b",
        "name": "2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494"
      },
      {
        "id": "e1f0e2a5-5896-470f-ab03-262eaf6d742e",
        "name": "46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93"
      },
      {
        "id": "9b70b516-445a-4e56-964b-bc22ad411d2a",
        "name": "ed80408eb9092301e628791e7a9a2e86c6f496a9afd7b56d7c1a1684b1b87251"
      },
      {
        "id": "0d49bc0c-90f9-4f94-9df3-eef84a0647b9",
        "name": "d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b"
      },
      {
        "id": "98f14a71-f026-4a82-9282-d8b70549ca3a",
        "name": "a5a5b6257304eefe5212edfd8c0ad27f77357c5046a7acb8eb7ba72ed4bad9e0"
      },
      {
        "id": "79170c10-460b-4abd-8d63-721049a9c142",
        "name": "fc8649547ad0ece93ad82de75cb6b875be0873774de89b78546c9a66d2043087"
      },
      {
        "id": "91e1d68e-b5d9-4aef-9978-67f523d4fb4d",
        "name": "1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984"
      },
      {
        "id": "3b00be96-ffd1-4ca6-9c7f-133b824cf232",
        "name": "b2e1f5aedb049092135e90c153f5bd386aa81cd2df355d90912dcba33c3176e5"
      },
      {
        "id": "31547c04-2d37-4b81-891d-be111438880d",
        "name": "0ca2edf9982f58e63cc49ba69fb9a88762d1f220ed9482810b512d4add0f8f0b"
      },
      {
        "id": "577dc356-6704-4b76-9048-5dc0d458e681",
        "name": "http://powwowski.com/payloads/update.zip"
      },
      {
        "id": "38827981-8a63-4a3a-a5ed-4bb9ce6afafe",
        "name": "6870e3bbf2447c96d21682caf943cf31c2e8c21c8cfb91a5092eab1c9e5f19ae"
      },
      {
        "id": "f8cd828a-ab5e-4085-95fc-6d6c7281f786",
        "name": "ab0541672b57cd3b7e8c973fb9fcbecd18b7fe14c1c2f571e7a2f2921919b500"
      },
      {
        "id": "29a5b543-eeae-4339-8d27-c353084de735",
        "name": "carrolc.com"
      },
      {
        "id": "8f12d10a-30e2-4d80-97c6-e75ad6a3f5c0",
        "name": "687968b820fd7a6bedb03d644410c663b1720ad76519e2dcf98d61df498470df"
      },
      {
        "id": "0bf07186-7b0e-4663-b3a0-146c418db0dd",
        "name": "hrs2y15sungu.com"
      },
      {
        "id": "da40dae3-c686-4a5e-89e5-175a6170f44c",
        "name": "fe8557d454adc7a91162495628d269738b92b4b5d7e5d620fc3f38c27a9a41a7"
      },
      {
        "id": "1bf793cc-bf06-4e8d-a909-47fe7e1aa34c",
        "name": "d51ce268a585657226510586e47c58a47cee2f2bf2049008760c58dc4e6ba650"
      },
      {
        "id": "500e9f92-f04a-4582-b37a-d768001c4984",
        "name": "9c8384f93b9d347a716ea3e55b9a01250473f667b95d467126c048256b0049e9"
      },
      {
        "id": "228aa7b5-7560-4542-8348-501c00e89142",
        "name": "1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf"
      },
      {
        "id": "85d246e4-a3f1-4ece-b9aa-0867b91236fb",
        "name": "0f7463aecc3920f9e2b32ab9d77861a9e69a3e8aa28d06b4602195623312331d"
      },
      {
        "id": "a9d1e40c-cd5c-4ea5-9f06-5e63d8c1408c",
        "name": "75635009a00cb26d2f532ad974ede59785a18e4b30132a1f585108589394ba5a"
      },
      {
        "id": "4515cf9b-8056-4d0e-b1c4-0d194400da66",
        "name": "https://hrs2y15sungu.com/d&pushd"
      },
      {
        "id": "0b24e7dd-8478-4cb6-b8e0-00af318900ac",
        "name": "4c357a29b202b77e7db190d359ead2dfd3f8869c6808b96bfa8bee82525bb2a2"
      },
      {
        "id": "7a561dfe-b29b-42b1-8140-dd67518c6790",
        "name": "b32461077b2e04145b87e9b5177a331dfd2248b81570aa96b9a302dffe643f70"
      },
      {
        "id": "be1f86c1-bd42-488b-9b77-f1291afa3664",
        "name": "thomphon.com"
      },
      {
        "id": "7f30aed5-d60a-41dc-9c14-10bbb18231e7",
        "name": "57cfa4cbf3d6cbd13973bbf0625bfa6d20677abb0a6e6bec9a6bf587799b56fa"
      },
      {
        "id": "706265c0-2735-4daf-b973-681c622f6816",
        "name": "e063358d88290c5d05d58594da341690024cf7fa57408a3874899f10e56d8bc8"
      },
      {
        "id": "b43b101f-ba2c-4a36-a64c-35c9c0750120",
        "name": "9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66"
      },
      {
        "id": "47a9f7ee-8cf4-43ff-98dd-9bb7b9bb8ce1",
        "name": "cwrtwright.com"
      },
      {
        "id": "935503dd-9e5a-4841-af20-e5a75f172fc3",
        "name": "powwowski.com"
      },
      {
        "id": "270a13dd-1ac2-4404-8b1a-96e80e635999",
        "name": "d8f291a459c1acc53f9c8dccb1049bfe2d3b00c7a86d50542dc7fd7b0628ea6a"
      },
      {
        "id": "1f4d5fd1-b8ac-44d2-8aee-d1913959ec86",
        "name": "ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec"
      }
    ],
    "attack_patterns": [
      {
        "id": "cf746a02-00ea-419e-912d-7b03f969c491",
        "name": "T1518.001"
      },
      {
        "id": "02abb0a8-0ebf-433b-987f-e25675af60d6",
        "name": "T1055.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "b55f705d-087e-4929-96da-a925e5f186fc",
        "name": "T1564.004"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "c998d878-b668-40dd-a84c-9ca7f73caaa4",
        "name": "T1497.003"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "bca9d14c-69fc-4211-8045-c29468ecd7aa",
        "name": "MLTBackdoor",
        "slug": "mltbackdoor"
      }
    ],
    "observables": [
      {
        "id": "e8a8929e-de0c-4338-a030-bc671a4eee19",
        "name": "powwowski.com"
      },
      {
        "id": "9626476b-d35a-4792-b5e3-4d44781554e0",
        "name": "cwrtwright.com"
      },
      {
        "id": "dafa7691-7ec8-476f-a910-be2f167b03a1",
        "name": "carrolc.com"
      },
      {
        "id": "786d53be-c4ed-44b2-a778-44c753a87354",
        "name": "thomphon.com"
      },
      {
        "id": "abd1bb63-e6c4-4558-9e38-56b396836491",
        "name": "hrs2y15sungu.com"
      },
      {
        "id": "42e6266e-ba0d-4275-a31a-d03ffebefa69",
        "name": "http://powwowski.com/payloads/update.zip"
      },
      {
        "id": "a55035a0-7f69-44d4-b0e7-ead0e1bda569",
        "name": "https://hrs2y15sungu.com/d&pushd"
      },
      {
        "id": "",
        "name": "9e8777661a1ad9c983f03060f0a04a3244daac8c3639b3eb1bbce29355bc6c10"
      },
      {
        "id": "",
        "name": "ac66c2d47cdefb221822b9074c9810434e8da702a0694139aa9177557e6b292b"
      },
      {
        "id": "",
        "name": "2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494"
      },
      {
        "id": "",
        "name": "46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93"
      },
      {
        "id": "",
        "name": "ed80408eb9092301e628791e7a9a2e86c6f496a9afd7b56d7c1a1684b1b87251"
      },
      {
        "id": "",
        "name": "d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b"
      },
      {
        "id": "",
        "name": "a5a5b6257304eefe5212edfd8c0ad27f77357c5046a7acb8eb7ba72ed4bad9e0"
      },
      {
        "id": "",
        "name": "fc8649547ad0ece93ad82de75cb6b875be0873774de89b78546c9a66d2043087"
      },
      {
        "id": "",
        "name": "1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984"
      },
      {
        "id": "",
        "name": "b2e1f5aedb049092135e90c153f5bd386aa81cd2df355d90912dcba33c3176e5"
      },
      {
        "id": "",
        "name": "0ca2edf9982f58e63cc49ba69fb9a88762d1f220ed9482810b512d4add0f8f0b"
      },
      {
        "id": "",
        "name": "6870e3bbf2447c96d21682caf943cf31c2e8c21c8cfb91a5092eab1c9e5f19ae"
      },
      {
        "id": "",
        "name": "ab0541672b57cd3b7e8c973fb9fcbecd18b7fe14c1c2f571e7a2f2921919b500"
      },
      {
        "id": "",
        "name": "687968b820fd7a6bedb03d644410c663b1720ad76519e2dcf98d61df498470df"
      },
      {
        "id": "",
        "name": "fe8557d454adc7a91162495628d269738b92b4b5d7e5d620fc3f38c27a9a41a7"
      },
      {
        "id": "",
        "name": "d51ce268a585657226510586e47c58a47cee2f2bf2049008760c58dc4e6ba650"
      },
      {
        "id": "",
        "name": "9c8384f93b9d347a716ea3e55b9a01250473f667b95d467126c048256b0049e9"
      },
      {
        "id": "",
        "name": "1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf"
      },
      {
        "id": "",
        "name": "0f7463aecc3920f9e2b32ab9d77861a9e69a3e8aa28d06b4602195623312331d"
      },
      {
        "id": "",
        "name": "75635009a00cb26d2f532ad974ede59785a18e4b30132a1f585108589394ba5a"
      },
      {
        "id": "",
        "name": "4c357a29b202b77e7db190d359ead2dfd3f8869c6808b96bfa8bee82525bb2a2"
      },
      {
        "id": "",
        "name": "b32461077b2e04145b87e9b5177a331dfd2248b81570aa96b9a302dffe643f70"
      },
      {
        "id": "",
        "name": "57cfa4cbf3d6cbd13973bbf0625bfa6d20677abb0a6e6bec9a6bf587799b56fa"
      },
      {
        "id": "",
        "name": "e063358d88290c5d05d58594da341690024cf7fa57408a3874899f10e56d8bc8"
      },
      {
        "id": "",
        "name": "9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66"
      },
      {
        "id": "",
        "name": "d8f291a459c1acc53f9c8dccb1049bfe2d3b00c7a86d50542dc7fd7b0628ea6a"
      },
      {
        "id": "",
        "name": "ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "carrolc.com"
      },
      {
        "id": "",
        "name": "hrs2y15sungu.com"
      },
      {
        "id": "",
        "name": "thomphon.com"
      },
      {
        "id": "",
        "name": "cwrtwright.com"
      },
      {
        "id": "",
        "name": "powwowski.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "5b0c0f23-1a9e-46cb-98b9-89005424d7fe",
      "standard_id": "external-reference--6c903ec1-3fa7-5ca4-a66b-48ba5899b9f5",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor",
      "hash": null,
      "external_id": null,
      "created": "2026-06-10T11:00:30.046Z",
      "modified": "2026-06-10T11:00:30.046Z",
      "createdById": null
    },
    {
      "id": "14abe9ee-e2be-419c-a02e-4557af74f263",
      "standard_id": "external-reference--e8808fc3-171e-51cd-a710-d9ed0354ba5d",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a28738628b044b8202032a9",
      "hash": null,
      "external_id": "6a28738628b044b8202032a9",
      "created": "2026-06-10T11:00:30.020Z",
      "modified": "2026-06-10T11:00:30.020Z",
      "createdById": null
    }
  ]
}