A new self-destructing backdoor called Mistic used in intrusions since April appears to be linked to a criminal gang that compromises corporate networks and then sells that access to ransomware groups, according to security researchers.
This backdoor, also tracked as MLTBackdoor, was first documented by Zscaler earlier this month, with the security shop suggesting the novel malware is “likely used in ransomware attacks to establish a foothold for lateral movement.”
Read more…
Source:
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- GhostContainer backdoor: Malware compromising Exchange servers of high-value organizations in Asia
July 17, 2025
In a recent incident response (IR) case, Kaspersky researchers discovered highly customized malware targeting Exchange infrastructure within government environments. Analysis of detection logs and clues within the sample suggests that the Exchange server was likely compromised via a known N-day vulnerability. Kaspersky in-depth analysis of the malware revealed a sophisticated, multi-functional backdoor that can be dynamically ...
- Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor
July 16, 2025
Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access ...
- Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting
July 16, 2025
Analyst note: Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed for long enough to receive a numerical TA designation. China-aligned threat actors have routinely targeted the semiconductor industry for many years. This activity likely aligns with China’s internal strategic economic priorities, which have increasingly emphasized ...
- Global operation targets NoName057(16) pro-Russian cybercrime network
July 16, 2025
Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol and Eurojust, targeted the cybercrime network NoName057(16). Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States took simultaneous actions against offenders and infrastructure belonging to the pro-Russian ...
- Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
July 16, 2025
Proofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. In 2025, Proofpoint analysts identified a new, unnamed malware exhibiting significant code overlap, shared features, and capabilities with ACR Stealer. Further investigation revealed that ACR Stealer was significantly updated and rebranded as Amatera Stealer. While Amatera Stealer retains the core of its predecessor, ...
- US Army soldier pleads guilty to hacking telcos and extortion
July 15, 2025
Former U.S. Army soldier Cameron John Wagenius pleaded guilty to hacking telecommunication companies and attempting to extort them by threatening to release stolen files, the Department of Justice announced on Tuesday. According to the DOJ, Wagenius, who went online with the nickname “kiberphant0m,” conspired to defraud 10 victim companies by stealing their login credentials, using brute ...