Woodgnat Hackers Use Mistic RAT to Sell Network Access to Ransomware Groups
A newly discovered remote access Trojan (RAT) called Backdoor.Mistic is helping cybercriminals secretly break into corporate networks and sell access to ransomware operators.
Security researchers have identified the malware, also tracked as MLTBackdoor by Zscaler, as a tool used by the Woodgnat hacking group, also known as KongTuke. The group has been active since 2024 and operates as an initial access broker, providing entry points to ransomware gangs instead of carrying out attacks themselves.
Researchers from security companies including Broadcom’s Symantec team, Carbon Black, Zscaler, and ThaiCERT have linked Woodgnat to campaigns targeting organizations such as schools, insurance companies, and IT service providers. The group has previously used another malware tool called ModeloRAT and has provided access to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Social Engineering Tricks Used to Infect Victims
Woodgnat relies heavily on social engineering to compromise networks. Hackers have hijacked legitimate WordPress websites and used fake technical alerts to trick employees into running malicious commands.
One recent technique, called CrashFix, freezes a victim’s browser and displays a fake warning that instructs them to copy and paste commands to repair the issue. Similar methods known as ClickFix and FileFix were used in earlier campaigns.
The attackers have also started contacting employees through Microsoft Teams while pretending to be internal IT support staff. Their goal is to convince users to execute commands that install malware.
Stealthy Mistic RAT Gives Hackers Hidden Control
After gaining access, attackers use a multi-stage PowerShell process to install Backdoor.Mistic. The malware allows hackers to manage files, create fake login screens to steal credentials, and explore compromised networks.
The attackers use legitimate Windows tools such as Net.exe and Reg.exe for network discovery and Curl for transferring stolen information. The malware uses DLL sideloading, a technique that abuses trusted Windows files to avoid detection by security software.
Another dangerous feature is its ability to operate directly in system memory without leaving files on the hard drive, making it harder for antivirus programs to detect. If attackers suspect discovery, the malware can activate a kill switch and remove itself from the infected system.
Cybercrime Becomes More Organized
Security experts say the rise of Mistic RAT highlights the growing professionalism of the cybercrime ecosystem. Instead of ransomware groups handling every stage of an attack, specialized access brokers now focus on finding and selling compromised networks.
Experts warn that organizations should monitor suspicious IT support messages, unexpected commands, unusual network activity, and signs of unauthorized access. Detecting access brokers early could prevent ransomware groups from gaining control of business systems.
Leave a comment