Back to Insights
Threats5 min read25 June 2026

Mistic Backdoor: How an Access Broker Is Selling Footholds to Qilin, Akira, and Black Basta

A threat group called Woodgnat has deployed a custom in-memory backdoor since at least April 2025, quietly auctioning enterprise access to some of the most active ransomware gangs operating today.

EF
Elena FischerThreat Intelligence Analyst
A photoreal editorial scene inside a dimly lit corporate server room at night, a hooded figure reflected faintly in a ra

A custom backdoor named Mistic has been active inside insurance, education, IT, and professional-services organizations since at least April 2025, planted by an initial access broker (IAB) tracked as Woodgnat — also known as KongTuke — which sells confirmed network footholds to ransomware operators including Qilin, Akira, Black Basta, Rhysida, 8Base, and Interlock.

Who Is Woodgnat?

Woodgnat is not a ransomware group. It is a supplier. The group breaks into a target, confirms the network is valuable, and sells that access to the highest bidder. IABs are not new — Verizon's 2024 Data Breach Investigations Report found that external actors are behind 65% of breaches and that stolen credentials remain the single most common entry path. What *is* new about Woodgnat is the custom tooling it now ships with those intrusions.

Historically, brokers have leaned on commodity loaders and built-in system tools: PowerShell, certutil, curl, reg.exe, WMIC. Living-off-the-land techniques are cheap and leave minimal forensic artifacts. Custom implants signal something different — a maturing operation that needs durable, stealthy persistence, not just a quick interactive shell.

Symantec's Threat Hunter Team published research this week detailing Mistic and the broader Woodgnat toolkit. The group has been active since at least May 2024.

How Mistic Works

The DLL Sideload Chain

The infection mechanism exploits a well-documented but persistently abused weakness: DLL sideloading. Woodgnat drops a legitimately signed Microsoft Defender binary, `MpExtMs.exe`. When that process launches, it searches for `version.dll` — and finds a malicious copy the attackers planted in the same directory. That DLL loads `EndpointDlp.dll`, which is actually Mistic.

The result is an implant running inside a Microsoft-signed process, disguised as a Microsoft data-loss-prevention component, executing entirely in memory. There is no file written to disk for an endpoint agent to scan on creation. If your EDR relies primarily on on-write scanning, it will not fire.

Once resident in memory, Mistic connects to a command-and-control server, executes shellcode, moves and exfiltrates files, and carries a kill switch that lets operators clean up before forensics teams can acquire artifacts. A credential-stealing .NET DLL and ModeloRAT — a Python-based remote-access tool also linked to Woodgnat — have been observed alongside Mistic on victim networks. The Qilin connection emerged specifically through ModeloRAT deployments in recent campaigns.

The Human Door: ClickFix Social Engineering

None of that tooling matters if Woodgnat cannot get a foothold in the first place. The initial vector is ClickFix social engineering — a technique that bypasses most technical controls entirely because it asks the user to run the malicious command themselves.

Fake CAPTCHA pages instruct visitors to paste a command into Run or PowerShell to "verify" they are human. Browser-crash lures push similar paste-and-execute sequences. Since April 2025, Woodgnat has added a Microsoft Teams impersonation variant: attackers contact employees through Teams posing as internal IT support, then walk targets through pasting and running commands that install the Mistic chain.

That Teams vector deserves immediate attention from platform and security teams. Most organizations have external Teams federation enabled by default, meaning anyone with a Microsoft 365 tenant can initiate a chat with your employees. Almost no one audits those inbound federation connections. Woodgnat is exploiting exactly that gap.

Which Controls Failed?

Two control categories failed here, and neither is exotic.

First, user-facing social engineering defense. ClickFix works because employees are not trained to recognize the specific pattern: a webpage or chat message asking them to open a terminal and paste a string. This is not a classic phishing email with a malicious link. It is a script-execution lure. Standard phishing awareness training often does not cover it. Organizations that have not specifically taught employees to refuse paste-and-run requests — regardless of how official the source looks — remain exposed. Security-awareness training that includes simulated ClickFix and impersonation scenarios is one of the most direct mitigations available right now, because no patch fixes a user who trusts a fake IT technician on Teams.

Second, platform configuration hygiene. Enabling external Teams federation by default is a business convenience that becomes a high-value attack surface. This is a misconfiguration risk, not a zero-day. The fix is a deliberate policy decision: restrict external federation to explicitly allowlisted domains, or disable it outright if your business does not require it. That change costs nothing and removes an entire initial-access vector. Checking your organization against recognized security configuration standards provides a structured baseline for identifying gaps like this one before attackers find them.

What Defenders Should Do Now

Symantec's report includes indicators of compromise for Mistic samples, ModeloRAT artifacts, and associated C2 infrastructure. Operationally, several controls are worth prioritizing immediately.

  • Block external Teams federation unless specific business partners require it. Audit current inbound external contacts for anything anomalous.
  • Alert on `version.dll` loading from non-system paths. This is a cheap detection rule with real signal. Legitimate software rarely loads `version.dll` from user-writable directories.
  • Hunt for `MpExtMs.exe` running outside its expected installation path. A Microsoft Defender binary executing from a temp folder or user directory is not normal.
  • Review credential exposure. The presence of a credential-stealing .NET component in the Woodgnat toolkit means compromised credentials are being harvested and may already be in motion. Enforce phishing-resistant MFA across all remote-access surfaces.
  • Test your team against ClickFix lures. If you have not run a simulated paste-and-run exercise, you do not know whether your users would comply.

The broader lesson from Woodgnat is structural. Ransomware groups no longer need to build their own access capability. They buy it. That division of labor makes the initial broker harder to attribute — and means that by the time a ransomware gang activates inside your network, a separate threat actor has already been present for days or weeks. Detection at the Mistic and ModeloRAT stage, before the buyer takes over, is the window that matters. Organizations that want to benchmark their detection and awareness posture can explore options at Train2Secure.

Woodgnat is not done. IABs expand their target set as they expand their buyer list, and with six confirmed ransomware customers, Woodgnat has significant financial incentive to keep shipping intrusions.

How this attack could have been stopped earlier

  • Train employees specifically on paste-and-run and IT-impersonation lures — ClickFix variants are not covered by most legacy phishing awareness curricula.
  • Audit Microsoft Teams external federation settings and restrict inbound contacts to known, approved domains.
  • Implement detection rules for DLL sideloading patterns (version.dll from non-system paths) and enforce phishing-resistant MFA on all remote-access surfaces.

Train2Secure offers simulated ClickFix and impersonation scenarios that test exactly the human decisions Woodgnat exploits — before a real broker does.

Start free — no card required

Frequently asked questions

What is the Mistic backdoor and who deploys it?

Mistic is a custom in-memory backdoor deployed by an initial access broker tracked as Woodgnat (also called KongTuke). Active since at least April 2025, it runs inside a legitimate Microsoft-signed process via DLL sideloading, leaving minimal artifacts for endpoint tools to detect.

How does ClickFix social engineering work in these attacks?

ClickFix lures trick users into opening a terminal and pasting a malicious command themselves — bypassing email filters and browser defenses. Woodgnat uses fake CAPTCHA pages, browser-crash prompts, and Microsoft Teams impersonation of IT support to deliver these paste-and-run sequences.

Which ransomware groups buy access from Woodgnat?

Symantec's research has linked Woodgnat to at least six ransomware operators: Qilin, Akira, Black Basta, Rhysida, 8Base, and Interlock. The Qilin connection was identified specifically through ModeloRAT deployments.

How can organizations detect or block this attack chain?

Key mitigations include disabling or restricting external Microsoft Teams federation, alerting on version.dll loading from non-system paths, hunting for MpExtMs.exe running outside its expected directory, enforcing phishing-resistant MFA, and training employees to refuse paste-and-run requests from any source.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress