Stealthy Mistic backdoor linked to ransomware access broker KongTuke

A new backdoor called Mistic has been deployed since April against insurance, education, IT, and professional services organizations. Symantec links Mistic to initial access broker KongTuke, which sells network access to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The malware side-loads via MpExtMs.exe, displays a fake login screen to steal credentials, and runs payloads in memory with a self-delete kill switch.