WOODGNAT, an initial access broker also tracked as KongTuke, has been observed deploying two distinct remote access trojans, Backdoor.Mistic and MLTBackdoor, to facilitate ransomware operations. The activity dates back to May 2024 and has recently intensified, with victims spanning the education and information technology sectors. Zscaler's analysis describes MLTBackdoor while SecurityWeek report outlines Mistic's role.
Backdoor.Mistic functions as a classic remote access trojan, giving attackers the ability to read, write and delete files, execute arbitrary code and harvest credentials from infected hosts. It is frequently delivered through compromised WordPress plugins that drop a malicious payload, or via social engineering lures in Microsoft Teams that trick users into running a PowerShell script. Once active, the RAT opens a reverse channel to its command‑and‑control server, allowing the operator to exfiltrate data and deploy further tools.
MLTBackdoor arrives in a multi‑stage chain that begins with a ClickFix lure presenting a fake software update prompt. When the user clicks the prompt, a series of obfuscated JavaScript and PowerShell commands are launched, employing Mixed Boolean‑Arithmetic and Control Flow Flattening to hinder analysis. The malware uses a domain generation algorithm to create changing rendezvous points and encrypts all traffic with a strong cipher, making network‑based detection harder. Zscaler notes that the modular design lets operators plug in additional capabilities such as credential stealers or lateral movement scripts on demand.
Woodgnat has been active since at least May 2024, selling access to compromised networks to various ransomware affiliates. The broker’s toolkit now includes both Mistic and MLTBackdoor, which it chooses based on the target’s environment and the desired level of stealth. SecurityWeek links the broker to several ransomware families, noting that the stolen footholds often precede ransomware deployment by days or weeks.
Prior to adopting these tools, Woodgnat relied on another custom RAT known as ModeloRAT to gather basic host information. The group profiles each infected machine, assessing factors like domain admin presence and data volume to estimate its resale value. Once a host meets the broker’s criteria, the access is listed on underground markets where ransomware operators purchase it for follow‑on encryption attacks.
Defenders should enforce strict change management on WordPress installations, removing unsupported plugins and monitoring file integrity for unexpected modifications. In Microsoft Teams, administrators can disable external file sharing and restrict the execution of PowerShell scripts through AppLocker or similar controls. Network teams ought to block outbound connections to newly observed domains associated with the MLTBackdoor DGA and inspect TLS traffic for anomalous patterns using behavioural analytics.
Endpoint solutions need to flag the characteristic obfuscation patterns, such as MBA‑encoded strings, and alert on repeated attempts to launch unsigned PowerShell from Office applications. Finally, regular threat‑intelligence feeds that track Woodgnat’s infrastructure can help prioritize hunting efforts and reduce dwell time.