🟠 High | Source: The Hacker News
A newly identified backdoor called Mistic (also tracked as MLTBackdoor) has been used in financially motivated attacks against organisations in insurance, education, IT, and professional services since April 2026. It is linked to an initial access broker (IAB) connected to the KongTuke threat cluster, and has been deployed alongside ClickFix social engineering techniques and a remote access tool called ModeloRAT. The campaign represents a sophisticated multi-stage intrusion chain that poses a significant threat to enterprise environments across multiple sectors.
Security Architect’s Take: Review endpoint detection coverage for ClickFix-style lure delivery mechanisms and ensure EDR policies flag unusual process chains spawned from browser or Office processes. Validate that cloud workloads and remote access tooling (VPNs, remote desktop gateways) have MFA enforced and are monitored for lateral movement indicators consistent with IAB-style initial access.
Original advisory: New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns