Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Mistic backdoor deployment via ClickFix and DLL side-loading

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Mistic backdoor is being used in financially motivated attacks against organizations across insurance, education, IT, and professional services, raising the risk of stealthy long-term access. It is also tracked as MLTBackdoor and has been delivered through ClickFix-style lures. The malware runs in memory, can self-delete, and uses DLL side-loading via MpExtMs.exe to blend in.

Related Happenings

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

How related: "The targeting appears to be opportunistic, with the attackers casting a wide net and then assessing which organizations they could sell access to rather than focusing on a single sector," Symantec and Carbon Black said, adding that ModeloRAT has been observed in attacks that deployed Qilin ransomware.

About this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...

Open Happening

Mistic backdoor attack activity targeting enterprise sectors since April

Malware Activity
H score33 First: 24.06.2026 13:41 Last: 24.06.2026 13:41 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...

Open Happening

GPU cryptomining malware using ScreenConnect and SEO poisoning

Malware Activity
H score16 First: 28.05.2026 00:31 Last: 28.05.2026 00:31 Sources 1

About this happening: A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...

Open Happening

Fake Claude PlugX phishing campaign

Campaign
H score34 First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Open Happening

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
H score24 First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Open Happening

Timeline

  1. 25.06.2026 11:54 2 articles · 2h ago

    Broadcom details Mistic backdoor use with KongTuke-linked access

    Technical Analysis Update

    Mistic, also tracked as MLTBackdoor, is linked to KongTuke and has been used in suspected financially motivated attacks against multiple organizations in the insurance, education, IT, and professional services sectors since April 2026. The malware is described as running in memory, using DLL side-loading with MpExtMs.exe, and including a kill switch for self-deletion, which points to stealthy long-term access and possible resale of access rather than a single-sector intrusion.

    Show sources
    Open in new tab