Woodgnat Hackers Weaponize Microsoft Teams to Deploy Stealthy Backdoor.Mistic RAT

Cybercriminals are actively hijacking Microsoft Teams chats and weaponizing fake browser crashes to deploy a highly evasive remote access trojan known as Backdoor.Mistic. Discovered in April 2026, this fileless malware allows attackers to silently map corporate networks and sell the access to major ransomware syndicates before security teams even realize they have been breached.

Tracked by Zscaler as MLTBackdoor, the malware is the latest tool from the Woodgnat hackers, also known as KongTuke. Active since May 2024, this group operates strictly as Initial Access Brokers (IABs). Instead of deploying ransomware themselves, they compromise schools, insurance firms, and IT services, then sell the entry points to notorious ransomware networks like Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Woodgnat relies heavily on social engineering to bypass perimeter defenses. In early 2026, the group launched a campaign dubbed CrashFix, which hijacks legitimate WordPress sites to intentionally freeze a visitor's browser. A fake technical alert then prompts the victim to copy and paste a malicious command to resolve the issue.

This tactic builds on their previous 2025 campaigns, known as ClickFix and FileFix. More recently, the hackers have escalated to direct messaging employees on Microsoft Teams. Posing as the company's internal IT helpdesk, they trick staff into executing malicious commands under the guise of routine technical support.

Once a user executes the command, a multi-stage PowerShell chain downloads Backdoor.Mistic. The malware uses DLL sideloading - abusing trusted Windows files - to trick security software into executing the payload. Because it runs entirely in the computer's temporary memory without writing files to the hard drive, it easily evades traditional antivirus scans.

The attackers then use built-in Windows tools to map out the network and transfer data out. The primary executables abused include:

Net.exe

Reg.exe

Curl

The malware also features a built-in kill switch, allowing it to instantly delete itself if detection is imminent. Roman Sannikov, Global Research Coordinator at iCOUNTER, noted that the emergence of Mistic highlights the continued industrialization of the cybercrime ecosystem. He explained that initial access brokers have become critical suppliers, specializing in finding, validating, and monetizing access.

The access infrastructure is upstream of the incident, and visibility into how brokers like this operate, their routing, their reuse patterns, their handoff mechanisms, is what allows defenders to detect and disrupt before the ransomware operator ever enters the environment.

- Josh Picolet, VP of Detection & Analysis, Team Cymru

Because Woodgnat relies on tricking employees rather than exploiting zero-day vulnerabilities, organizations must adapt their defensive posture. Security teams should implement the following measures:

• Restrict PowerShell Execution: Limit the ability of standard users to run unauthorized PowerShell scripts.
• Monitor Teams Communications: Train employees to verify unexpected IT support requests on Microsoft Teams through a secondary internal channel.
• Block Malicious Sideloading: Implement endpoint detection and response (EDR) solutions that monitor for abnormal behavior from trusted Windows processes.

The rise of Woodgnat and Backdoor.Mistic proves that the ransomware ecosystem has fully decoupled its supply chain. Ransomware operators no longer need to be experts in phishing or network penetration; they simply buy pre-packaged access from specialized brokers. This division of labor makes attacks faster, more scalable, and significantly more devastating.

For enterprise defenders, this shifts the battleground entirely. If security teams are only looking for the final ransomware payload, they have already lost. The focus must pivot to detecting the subtle, fileless reconnaissance tools and social engineering tactics used by brokers. Disrupting the broker effectively starves the ransomware gangs of their targets before the encryption phase even begins.