KongTuke Expands Its Playbook With Mistic And ModeloRAT
The ransomware ecosystem has become increasingly specialized, and KongTuke sits at the center of that shift. Rather than conducting every stage of an attack themselves, many ransomware operators now rely on a network of affiliates, malware developers, and initial access brokers (IABs) to gain entry into victim environments.
KongTuke, also known as Woodgnat and TAG-124, is an initial access broker that has repeatedly adapted its tactics, techniques, and procedures to evade detection and maximize access opportunities. Recent research into the newly discovered Mistic backdoor and the evolution of ModeloRAT shows how this threat actor continues to refine its approach.
Security researchers at Symantec and Carbon Black recently identified a previously undocumented malware family, Mistic, a stealthy backdoor closely linked to KongTuke operations. The discovery provides fresh evidence that the group is expanding its malware arsenal beyond social engineering and commodity access techniques toward more sophisticated persistence and post-compromise capabilities.
Investigators have also observed KongTuke leveraging Microsoft Teams as a new attack vector, underscoring how collaboration platforms have become attractive targets for cybercriminals seeking initial access.
Taken together, these developments reveal a threat actor continuously refining both intrusion methods and its malware ecosystem. Initial access brokers occupy a critical position within the modern ransomware supply chain. Rather than deploying ransomware directly, they specialize in obtaining access to corporate networks and then selling that access to other criminal groups.
This model allows ransomware operators to focus on encryption, extortion, and monetization while outsourcing the difficult task of penetrating enterprise environments. As a result, organizations increasingly face threats from highly specialized actors whose sole purpose is to gain and maintain access.
Researchers have linked KongTuke to multiple ransomware operations, including Agenda, Interlock, Rhysida, Akira, Black Basta, and 8Base. Security analysts have observed its tooling appearing in environments that later suffered ransomware deployment, reinforcing the group's role as a key facilitator within the cybercriminal ecosystem.
The emergence of Mistic suggests that KongTuke is continuing to invest heavily in capabilities that make its access brokerage services more valuable, resilient, and strategically important.
Researchers at Security.com recently disclosed Mistic, a newly discovered backdoor that has been active since at least April 2026. Investigators found evidence linking the malware to KongTuke after observing Mistic deployed in close proximity to ModeloRAT infections during multiple intrusion investigations, reinforcing the connection between the two tools.
What makes Mistic particularly concerning is its emphasis on stealth and deception. Rather than relying on obviously malicious files or suspicious processes, the malware uses techniques designed to blend into legitimate enterprise environments.
Researchers at ZScaler observed Mistic being side-loaded via a legitimate executable, MpExtMs.exe, while loading a malicious DLL, EndpointDlp.dll. The naming convention appears deliberately chosen to resemble legitimate Microsoft endpoint security components, potentially reducing scrutiny from administrators and security analysts.
This approach reflects a broader trend among sophisticated threat actors. Instead of attempting to evade security controls solely through obfuscation, modern malware increasingly seeks to masquerade as trusted software and security tools. By doing so, attackers can remain resident in victim environments for longer periods while reducing the likelihood of detection.
The timing of the Mistic discovery is significant because it coincides with growing evidence that ransomware affiliates are demanding more durable and reliable access from their IAB partners. That demand helps explain why more hidden access creates greater opportunities for reconnaissance, credential theft, lateral movement, and eventual ransomware deployment.
The Evolution of ModeloRAT
While Mistic represents a new addition to KongTuke's toolkit, ModeloRAT remains one of the group's most important malware platforms.
ModeloRAT is a Python-based remote access trojan that enables attackers to gather system information, capture screenshots, maintain persistence, and exfiltrate sensitive files. Researchers have repeatedly observed the malware being used in intrusion campaigns associated with KongTuke operations.
Recent investigations reveal that the malware has undergone significant enhancements. Security researchers identified several improvements designed to increase resilience and survivability within compromised environments.
Key advancements include:
- A multiserver command-and-control architecture with automatic failover capabilities.
- Multiple independent access channels, including RAT functionality, reverse shells, and TCP backdoors.
- Expanded persistence mechanisms using registry run keys, startup shortcuts, VBScript launchers, and scheduled tasks.
These enhancements demonstrate that ModeloRAT has evolved from a straightforward remote access tool into a robust platform capable of maintaining access even when defenders successfully disrupt portions of the attack infrastructure.
Particularly concerning is the discovery that some persistence mechanisms survive even after the malware's self-removal functions execute. This means organizations may believe they have successfully remediated an infection while hidden access pathways remain active.
Perhaps the most notable shift in KongTuke's operations is its growing use of Microsoft Teams as an initial access vector, building on the group's broader move toward more durable access methods.
According to researchers, the group has begun targeting employees via external Teams messages, impersonating IT support personnel. Victims receive messages that appear to come from legitimate internal support staff, instructing them to execute PowerShell commands under the guise of troubleshooting or diagnostics. In reality, these commands download and deploy ModeloRAT.
Investigators reported that attackers were able to move from initial contact to persistent access in less than five minutes in some observed incidents. The speed of compromise highlights the effectiveness of leveraging trusted collaboration platforms.
The attackers also employ Unicode whitespace manipulation techniques to make display names appear more legitimate, further increasing the likelihood that employees will trust the messages. Researchers observed the threat actor rotating across multiple Microsoft 365 tenants to avoid detection and blocking.
This evolution reflects a broader trend across the threat landscape. Security researchers and Microsoft have both reported an increase in the abuse of collaboration platforms for helpdesk impersonation attacks. Because employees expect legitimate communication through tools such as Teams, attackers can bypass many of the skepticism triggers traditionally associated with phishing emails. The relationship between Mistic and ModeloRAT reveals a clear strategic shift in KongTuke's operations.
Historically, many malware campaigns relied on a single implant to establish and maintain control. Modern operators increasingly deploy multiple tools that provide overlapping capabilities. If defenders discover and remove one implant, another can continue operating.
This appears to be the model KongTuke is pursuing. Mistic provides stealth and long-term persistence. ModeloRAT delivers reconnaissance, data theft, and remote access functionality. Together, they form a layered intrusion architecture that strengthens operational resilience and raises remediation costs for victim organizations.
A similar pattern can be seen elsewhere in the ransomware ecosystem. Researchers continue to observe ransomware-related threat actors deploying increasingly sophisticated backdoors that support modular functionality, encrypted communications, and flexible command execution. The trend suggests that ransomware affiliates and their supporting access brokers are investing in malware frameworks that survive longer, adapt more quickly, and offer greater operational flexibility.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion