Date: 06/29/2026
Severity: High
Summary
Backdoor.Mistic is a stealthy backdoor observed in cybercrime intrusions since April 2026 and is suspected to be linked to the Woodgnat (KongTuke) initial access broker. Using DLL sideloading, fileless in-memory execution, and self-deletion capabilities, it establishes long-term covert access while evading detection. The malware has been linked to ModeloRAT and ransomware groups including Qilin, Akira, Black Basta, Rhysida, Interlock, and 8Base, and has been deployed opportunistically across the insurance, education, IT, and professional services sectors.
Indicators of Compromise (IOC) List
Domains/URLs | authorized-logins.net b6w9m2z5x8q1v3k.top carrolc.com cj06y9v4xab.com cwrtwright.com defs.updater-worelos.com ftps.upd-domain-goloro.com grande-luna.top http://thomphon.com/update.msi human-check.top mail.authorized-logins.net mailes.upd-domain-goloro.com mails.updater-worelos.com mueleer.com nano.upscale-kolo.com oeannon.com php.authorized-logins.net rotoa-upda-lo.com sql-updater-service.com sss.authorized-logins.net thomphon.com upd-domain-goloro.com update.update-fall.com updater-worelos.com upscale-kolo.com w3xasv14culvnqj.top |
IP Address | 142.93.242.144 144.31.53.78 198.13.159.44 199.91.221.42 |
Hash | 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984
34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc
3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be
59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712
8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235
afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c
db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5
f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e
fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "b6w9m2z5x8q1v3k.top" or url like "b6w9m2z5x8q1v3k.top" or siteurl like "b6w9m2z5x8q1v3k.top" or domainname like "sss.authorized-logins.net" or url like "sss.authorized-logins.net" or siteurl like "sss.authorized-logins.net" or domainname like "thomphon.com" or url like "thomphon.com" or siteurl like "thomphon.com" or domainname like "upscale-kolo.com" or url like "upscale-kolo.com" or siteurl like "upscale-kolo.com" or domainname like "mailes.upd-domain-goloro.com" or url like "mailes.upd-domain-goloro.com" or siteurl like "mailes.upd-domain-goloro.com" or domainname like "mueleer.com" or url like "mueleer.com" or siteurl like "mueleer.com" or domainname like "mails.updater-worelos.com" or url like "mails.updater-worelos.com" or siteurl like "mails.updater-worelos.com" or domainname like "w3xasv14culvnqj.top" or url like "w3xasv14culvnqj.top" or siteurl like "w3xasv14culvnqj.top" or domainname like "upd-domain-goloro.com" or url like "upd-domain-goloro.com" or siteurl like "upd-domain-goloro.com" or domainname like "defs.updater-worelos.com" or url like "defs.updater-worelos.com" or siteurl like "defs.updater-worelos.com" or domainname like "grande-luna.top" or url like "grande-luna.top" or siteurl like "grande-luna.top" or domainname like "sql-updater-service.com" or url like "sql-updater-service.com" or siteurl like "sql-updater-service.com" or domainname like "ftps.upd-domain-goloro.com" or url like "ftps.upd-domain-goloro.com" or siteurl like "ftps.upd-domain-goloro.com" or domainname like "update.update-fall.com" or url like "update.update-fall.com" or siteurl like "update.update-fall.com" or domainname like "php.authorized-logins.net" or url like "php.authorized-logins.net" or siteurl like "php.authorized-logins.net" or domainname like "authorized-logins.net" or url like "authorized-logins.net" or siteurl like "authorized-logins.net" or domainname like "mail.authorized-logins.net" or url like "mail.authorized-logins.net" or siteurl like "mail.authorized-logins.net" or domainname like "updater-worelos.com" or url like "updater-worelos.com" or siteurl like "updater-worelos.com" or domainname like "human-check.top" or url like "human-check.top" or siteurl like "human-check.top" or domainname like "carrolc.com" or url like "carrolc.com" or siteurl like "carrolc.com" or domainname like "oeannon.com" or url like "oeannon.com" or siteurl like "oeannon.com" or domainname like "nano.upscale-kolo.com" or url like "nano.upscale-kolo.com" or siteurl like "nano.upscale-kolo.com" or domainname like "rotoa-upda-lo.com" or url like "rotoa-upda-lo.com" or siteurl like "rotoa-upda-lo.com" or domainname like "cwrtwright.com" or url like "cwrtwright.com" or siteurl like "cwrtwright.com" or domainname like "cj06y9v4xab.com" or url like "cj06y9v4xab.com" or siteurl like "cj06y9v4xab.com" or domainname like "http://thomphon.com/update.msi" or siteurl like "http://thomphon.com/update.msi" or url like "http://thomphon.com/update.msi" |
Detection Query 2 : | dstipaddress IN ("199.91.221.42","142.93.242.144","198.13.159.44","144.31.53.78") or srcipaddress IN ("199.91.221.42","142.93.242.144","198.13.159.44","144.31.53.78") |
Detection Query 3 : | sha256hash IN ("8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235","34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc","1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984","fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a","f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e","db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5","59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712","3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be","afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c")
|
Reference:
https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat