Mistic backdoor attack activity targeting enterprise sectors since April
Malware Activity
Summary
Hide ▲
Show ▼
The Mistic backdoor is being used in financially motivated attacks against insurance, education, IT, and professional services organizations, giving operators a stealthy foothold in enterprise networks. Researchers say it has been active since April and can communicate with command-and-control, run code in memory, and delete itself to evade detection. The activity matters because the malware is built for long-term persistence and begins with DLL side-loading plus a fake login screen that can steal credentials.
Related Happenings
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Major South Korean electronics manufacturer hit by data theft breach
Incident
H score13
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Snow malware suite deployment by UNC6692
Malware Activity
H score29
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Snow malware suite deployment by UNC6692
Malware ActivityAbout this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Timeline
-
24.06.2026 13:41 2 articles · 7h ago
Mistic backdoor used in financially motivated attacks on enterprise sectors
Initial DisclosureSymantec says Mistic is a new backdoor used in financially motivated attacks against organizations in the insurance, education, IT, and professional services sectors, and links it to KongTuke/Woodgnat. The malware has reportedly been used in intrusions since April, and Zscaler says it was delivered in a multi-stage ClickFix infection chain in May.
Show sources
- Stealthy Mistic backdoor linked to ransomware access broker KongTuke — www.bleepingcomputer.com — 24.06.2026 13:41
- Stealthy Mistic backdoor linked to ransomware access broker KongTuke — www.bleepingcomputer.com — 24.06.2026 13:41