A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors.

The malware is believed to be linked to KongTuke/Woodgnat, an initial access broker active since at least 2024 that specializes in compromising corporate networks and selling that access to ransomware groups, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Researchers at cybersecurity company Symantec say that Mistic has been used in intrusions since April.

In at least one incident, it was deployed shortly after ModeloRAT, a backdoor attributed to KongTuke and delivered via social engineering attacks over Microsoft Teams.

Symantec believes that Mistic is a newly developed, stealthy backdoor designed for long-term persistence in compromised networks.