Source URL: thehackernews.com/2026/06/n… The Hacker News reports that a new stealthy backdoor called Mistic, also tracked as MLTBackdoor, has been used in financially motivated attacks against organizations in insurance, education, IT and professional services since April 2026. The activity is linked to the KongTuke initial access broker ecosystem and appears alongside ModeloRAT in ClickFix-style campaigns, with delivery paths involving deceptive prompts, DNS-based staging and social engineering. Mistic runs payloads in memory, uses DLL side-loading with trusted Microsoft endpoint-security tooling, supports file operations and in-memory code execution, and includes a kill switch, making it well-suited for low-visibility footholds that can be monetized by ransomware affiliates or other downstream threat actors.
New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns
Edward Kiledjian
@ekiledjian