Mistic Backdoor and ModeloRAT Deployed in Financially Motivated Attacks Linked to KongTuke
Summary
A financially motivated cyberattack campaign since April 2026 deploys the Mistic backdoor (MLTBackdoor) alongside ModeloRAT, targeting insurance, education, IT, and professional services organizations. The operation is linked to initial access broker KongTuke (also tracked under multiple aliases). ModeloRAT was first identified in January 2026 by Huntress in a ClickFix campaign variant called CrashFix, which used a malicious Chrome extension disguised as an ad blocker.
Source
Key quotes
· 3 pulledMistic (also tracked as MLTBackdoor) has been deployed since April 2026 in financially motivated attacks targeting insurance, education, IT, and professional services organizations.
The backdoor is linked to initial access broker KongTuke, also known by 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat, and it is dropped alongside ModeloRAT, a Python RAT previously attributed to the same group.
ModeloRAT was first flagged in January 2026 by Huntress in connection with a ClickFix campaign variant called CrashFix, where a malicious Chrome extension masquerading as an ad blocker crashed br
You might also wanna read
Analysis: Sophisticated Backdoor Campaign Targets Ivanti EPMM Using Dormant Shells
A February 2026 cybersecurity campaign targeted Ivanti Endpoint Manager Mobile (EPMM) systems with sophisticated backdoor techniques. Instea
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android
ClawdBot Open-Source Malware Framework Targets Cryptocurrency Platforms and Social Media
The article discusses ClawdBot, an open-source malware framework that uses malicious skills to target cryptocurrency platforms and social me
opensourcemalware.com·5mo agoMicrosoft uncovers Tor-based cryptocurrency clipper malware with worm-like propagation
Microsoft Threat Intelligence identified a Windows-based cryptocurrency clipper malware campaign active since February 2026. The malware use
Analysis of a Sophisticated Fake-Interview Malware Attack Targeting a Rust Developer
A developer recounts a close encounter with a sophisticated fake-interview scam (dubbed "PinpinRAT") designed to backdoor their machine, lik

Comments
Sign in to join the conversation.
No comments yet. Be the first.