Backdoor.Mistic: New Backdoor May Be Linked to Ransomware Access Broker
Symantec, Wednesday, June 24th, 2026
Symantec analyzes Backdoor.Mistic, a stealthy in-memory backdoor possibly tied to ransomware access broker Woodgnat.
Symantec's Threat Hunter Team detailed Backdoor.Mistic, a stealthy malware deployed since April 2026 that may be linked to Woodgnat, a ransomware access broker known for the ModeloRAT toolkit.
The backdoor executes payloads in memory without writing files to disk and includes a self-deletion feature, enabling prolonged, undetected access. Woodgnat has been associated with multiple ransomware operations including Qilin, Interlock, and Black Basta.
It primarily targets organizations in insurance, education, IT, and professional services through opportunistic methods.