Technical Analysis of MLTBackdoor

    Wednesday, June 10, 2026 In: Threat Research Print

    Date: 06/10/2026

    Severity: Medium

    Summary

    MLTBackdoor is a newly identified malware family likely associated with ransomware operations and delivered through a multi-stage ClickFix infection chain. The malware provides remote access capabilities such as file upload and download, while also supporting the execution of Beacon Object Files (BOFs) to dynamically extend its functionality. To evade detection and maintain persistence, MLTBackdoor employs advanced obfuscation, anti-analysis techniques, and a Domain Generation Algorithm (DGA) for resilient command-and-control communications, making it a versatile tool for post-compromise activity and lateral movement. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    hrs2y15sungu.com

    carrolc.com

    cwrtwright.com

    thomphon.com

    powwowski.com/payloads/update.zip

    Hash

    1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984

    46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93

    9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66

    ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec

    1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf

    2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494

    d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "carrolc.com" or url like "carrolc.com" or siteurl like "carrolc.com" or domainname like "thomphon.com" or url like "thomphon.com" or siteurl like "thomphon.com" or domainname like "cwrtwright.com" or url like "cwrtwright.com" or siteurl like "cwrtwright.com" or domainname like "hrs2y15sungu.com" or siteurl like "hrs2y15sungu.com" or url like "hrs2y15sungu.com" or domainname like "powwowski.com/payloads/update.zip" or siteurl like "powwowski.com/payloads/update.zip" or url like "powwowski.com/payloads/update.zip"

    Detection Query 2 :

    sha256hash IN ("1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf","ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec","2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494","46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93","9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66","1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984","d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b")

    Reference:    

    https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor   


    Tags

    MalwareRansomwareClickFixBackdoorObfuscation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.