Mistic Backdoor Abuses Microsoft Endpoint Security Naming to Hide in Corporate Networks
8 min. read 
Published on
A new backdoor called Mistic is being used in financially motivated intrusions against corporate networks, with evidence pointing to a possible link to the Woodgnat initial access broker.
The Symantec Threat Hunter Team said Mistic has appeared in attacks since April 2026 and has targeted organizations in insurance, education, information technology, and professional services.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The backdoor is notable because it blends into Microsoft endpoint-security tooling. In one investigated attack, a legitimate Microsoft file, MpExtMs.exe, was used to sideload a malicious DLL named EndpointDlp.dll, a filename that looks like it belongs to endpoint data loss prevention software.
Mistic appears built for quiet long-term access
Mistic is designed to give attackers a stealthy foothold inside a network. It can run payloads directly in memory, which means the final code does not need to land on disk in the usual way.
It also includes a kill switch that lets operators terminate and delete the backdoor when they no longer need it. That makes forensic recovery harder, especially when attackers remove their tooling before a response team arrives.
Zscaler tracks the same malware family as MLTBackdoor. Its ThreatLabz analysis said MLTBackdoor was identified in May 2026 and was delivered through a multi-stage ClickFix infection chain.
| Malware name | Tracked by | Main purpose | Notable behavior |
|---|---|---|---|
| Mistic | Symantec and Carbon Black | Backdoor for stealthy access | Runs payloads in memory and includes a kill switch |
| MLTBackdoor | Zscaler ThreatLabz | Post-exploitation backdoor | Supports file operations and Beacon Object File loading |
| ModeloRAT | Linked to Woodgnat/KongTuke activity | Remote access trojan | Delivered through portable Python environments |
How the Microsoft-looking sideloading chain works
The attack uses DLL sideloading, a technique where a trusted executable loads a malicious DLL because of how Windows resolves library paths.
MITRE describes DLL Search Order Hijacking as a method attackers can use to execute malicious payloads by placing a rogue library where a legitimate program will load it.
In the Mistic case, a loader named version.dll hooks two Windows functions, GetModuleFileNameW and LoadLibraryW. This helps redirect execution toward EndpointDlp.dll while making the process look less suspicious.
Why the EndpointDlp.dll name helps the malware hide
The EndpointDlp.dll filename matters because Microsoft uses endpoint data loss prevention features in enterprise security environments. A file with that name may not immediately stand out to analysts reviewing noisy endpoint activity.
Microsoft’s own Endpoint data loss prevention documentation explains that Endpoint DLP helps organizations monitor and protect sensitive items on Windows devices.
Attackers are not exploiting Endpoint DLP itself in the reported Mistic chain. Instead, they appear to be borrowing trusted-looking names and Microsoft-adjacent paths to reduce suspicion during investigation.
- Legitimate file abused: MpExtMs.exe
- Loader used in the chain: version.dll
- Backdoor DLL name: EndpointDlp.dll
- Technique: DLL sideloading
- Goal: stealthy access that can support follow-on activity
Mistic can upload files, download payloads, and run code in memory
Once active, Mistic gives operators several backdoor functions. It can upload and download files, move or delete files, create folders, and change how often it checks in with its command-and-control server.
Its most important feature is memory execution. Operators can send remote payloads that run without saving a normal executable to disk, reducing the chance that file-based detection will catch the activity.
The Mistic report also said a separate .NET DLL appeared on the victim network and acted as a credential stealer by displaying a fake login screen.
| Capability | Security impact |
|---|---|
| Upload and download files | Attackers can move tools in and data out |
| Move, rename, or delete files | Operators can alter evidence or prepare staging folders |
| Create folders | The backdoor can organize payloads and stolen data |
| Change check-in frequency | Operators can reduce noisy network behavior |
| Execute code in memory | Final payloads can avoid normal file-based scanning |
| Terminate and delete itself | Attackers can remove the backdoor after use |
Possible link to Woodgnat and ransomware access brokering
Symantec says Mistic may be linked to Woodgnat, also known publicly as KongTuke. The group is tracked as a financially motivated initial access broker rather than a traditional ransomware crew.
An initial access broker breaks into networks, establishes durable access, and then sells that access to other criminals. That model lets ransomware affiliates skip the hardest first step of an intrusion.
Woodgnat has been publicly linked to ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Symantec also said its team observed ModeloRAT in attacks that delivered Qilin ransomware.
ClickFix, FileFix, and CrashFix lures remain part of the playbook
Woodgnat’s broader traffic distribution system has relied on compromised WordPress sites, injected JavaScript, and social engineering pages that trick users into running attacker-supplied commands.
These lures have evolved over time. ClickFix uses fake errors or CAPTCHA prompts, FileFix pushes users to paste commands into File Explorer, and CrashFix uses a browser crash scenario to make the fake fix look urgent.
Zscaler’s MLTBackdoor research tied the malware to a ClickFix chain and said it can load Beacon Object Files to expand post-exploitation capabilities.
Microsoft Teams helpdesk lures add another route
Since around April 2026, Woodgnat activity has also included fake IT helpdesk scenarios delivered through Microsoft Teams chats. Operators persuade users to run PowerShell commands under the guise of fixing an issue.
Microsoft’s Teams external access guidance explains how organizations can manage communication with people outside their own tenant, including domain-level controls.
That matters because external Teams messaging can create a direct social-engineering path into employees. Organizations should review external access settings, block unnecessary domains, and train users not to paste commands from chat-based support messages.
What defenders should hunt for
Security teams should treat unexpected MpExtMs.exe activity as suspicious when it occurs outside normal Microsoft paths or loads unexpected DLLs.
They should also hunt for EndpointDlp.dll files that do not belong to approved Microsoft security components. The same applies to version.dll files placed near trusted executables in unusual folders.
MITRE’s DLL sideloading guidance recommends monitoring process activity and DLL loading behavior, especially when signed binaries load libraries from attacker-controlled paths.
- Review MpExtMs.exe executions and confirm the file path and parent process.
- Search for suspicious EndpointDlp.dll and version.dll files on endpoints.
- Monitor PowerShell, curl.exe, certutil, reg.exe, net.exe, and WMIC usage.
- Audit external Microsoft Teams access and disable unnecessary cross-tenant communication.
- Watch for fake login screens and unexplained credential prompts.
- Block known Mistic command-and-control infrastructure from the IoC list.
Known indicators of compromise
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 | Backdoor.Mistic EndpointDlp.dll |
| SHA-256 | 34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc | Fake lock screen f.dll |
| SHA-256 | 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 | Loader version.dll |
| SHA-256 | afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c | Backdoor.Mistic EndpointDlp.dll |
| SHA-256 | db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 | Backdoor.Mistic EndpointDlp.dll |
| IP address | 142.93.242.144 | Command-and-control indicator |
| IP address | 144.31.53.78 | Command-and-control indicator |
| IP address | 198.13.159.44 | Command-and-control indicator |
| IP address | 199.91.221.42 | Command-and-control indicator |
| Domain | authorized-logins.net | Malicious infrastructure |
| Domain | updater-worelos.com | Malicious infrastructure |
| Domain | upd-domain-goloro.com | Malicious infrastructure |
| Domain | thomphon.com | Malicious infrastructure |
How organizations can reduce risk
Defenders should tune endpoint controls for in-memory execution and suspicious module loading, not only malware hashes. Mistic’s design means the most valuable detection signals may come from behavior rather than files.
Organizations should also reduce unnecessary script execution, restrict PowerShell where possible, and add alerting for unexpected use of living-off-the-land tools in user sessions.
Because the activity can start with social engineering, technical controls need support from user training. Employees should know that real IT teams do not ask them to paste PowerShell commands from Teams chats, browser prompts, CAPTCHA pages, or crash-recovery messages.
Microsoft’s external access controls for Teams can help reduce exposure to support impersonation attempts, while Microsoft’s Endpoint DLP overview can help administrators distinguish legitimate Microsoft security components from suspicious lookalike files.
FAQ
Mistic is a stealthy backdoor observed in financially motivated intrusions since April 2026. It can run payloads in memory, upload and download files, change its command-and-control check-in interval, and delete itself through a kill switch.
In one investigated attack, Mistic used DLL sideloading through a legitimate Microsoft file named MpExtMs.exe and loaded a malicious DLL named EndpointDlp.dll. The EndpointDlp.dll name resembles Microsoft endpoint-security tooling, which can help the malware blend into normal enterprise environments.
Symantec says Mistic may be linked to Woodgnat, also known as KongTuke, an initial access broker associated with ransomware ecosystems. The link is cautious rather than confirmed, but the activity overlaps with tools used in ransomware-related intrusions.
MLTBackdoor is Zscaler’s tracking name for the malware family Symantec calls Mistic. Zscaler reported that it was delivered through a multi-stage ClickFix infection chain and can load Beacon Object Files to extend post-exploitation capabilities.
Companies should monitor suspicious MpExtMs.exe execution, unexpected EndpointDlp.dll or version.dll files, DLL sideloading from unusual paths, in-memory payload execution, fake login screens, PowerShell abuse, and suspicious outbound traffic to known Mistic infrastructure.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages