New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

A new, stealthy backdoor named Mistic has been deployed as part of suspected financially motivated attacks aimed at multiple organizations spanning insurance, education, IT, and professional services sectors since April 2026. According to Symantec and Carbon Black's Threat Hunter Team, the backdoor, also tracked as MLTBackdoor, is said to be linked to an initial access broker (IAB) named

The article describes a new stealthy backdoor, Mistic/MLTBackdoor, linked at low confidence to the initial access broker KongTuke/Woodgnat, and used in financially motivated campaigns via ClickFix and in proximity to ModeloRAT.[1][2][3][6] Researchers report that Mistic targets multiple sectors (insurance, education, IT, professional services), uses DLL side‑loading and in‑memory payload execution, and is designed for long‑term, low‑visibility access that can ultimately be sold to ransomware groups.[1][3][6] From a CyberSE.AI perspective, this kind of stealthy access tooling and social‑engineering delivery (ClickFix, fake CAPTCHAs, fake fixes) can be repurposed to target AI agents and the infrastructure they run on, enabling adversaries to gain persistent access to systems hosting models, training pipelines, or sensitive data. Organizations should harden AI-related endpoints against these intrusion chains, include them in continuous AI red teaming, and treat third‑party components in AI stacks (agents, plugins, browser extensions, WordPress-based frontends) as part of the AI supply chain that requires SBOM-level visibility and secure build practices.