← Back to Daily Briefing

The 'Woodgnat' threat actor (KongTuke) is leveraging a critical race condition in the Microsoft Defender quarantine pipeline (CVE-2026-50656) to facilitate local privilege escalation (LPE) to SYSTEM on Windows 10 and 11. The attack chain initiates with 'ClickFix' social engineering, followed by DLL sideloading via the legitimate MpExtMs.exe binary. This enables the deployment of the 'Mistic' backdoor (utilizing EndpointDlp.dll) and the 'ModeloRAT' Python-based Trojan. This sophisticated access is subsequently auctioned to high-impact ransomware groups such as Qilin, Akira, and Black Basta, presenting a significant risk to Insurance, Education, and IT service sectors through high-durability, privileged persistence.

  • Campaign Overview: Woodgnat Initial Access

    • Employs 'ClickFix' social engineering tactics, specifically utilizing fake CAPTCHAs and Microsoft Teams impersonation.
    • Operates as a sophisticated Initial Access Broker (IAB) to establish long-term footholds.
    • Targets high-value verticals including Insurance, Education, and IT/Professional Services.
  • Vulnerability Deep Dive: CVE-2026-50656

    • Identifies a critical race condition residing within the Microsoft Defender quarantine pipeline.
    • Facilitates Local Privilege Escalation (LPE) to SYSTEM-level access on both Windows 10 and 11.
    • Provides a reliable method for attackers to bypass security boundaries on fully patched operating systems.
  • Malware Analysis: Mistic & ModeloRAT

    • Deploys the 'Mistic' (MLTBackdoor) via DLL sideloading using MpExtMs.exe, version.dll, and EndpointDlp.dll.
    • Mistic capabilities include in-memory execution, C2 communication, credential theft, and file manipulation.
    • Utilizes 'ModeloRAT', a Python-based Remote Access Trojan, for secondary command and control.
  • Threat Ecosystem & Impact

    • Access brokered by Woodgnat is sold to major ransomware affiliates to maximize extortion potential.
    • Primary associated groups include Qilin, Akira, and Black Basta.
    • Secondary affiliated groups identified include Interlock, Rhysida, and 8Base.
  • Detection & Mitigation Strategies

    • Monitor for anomalous DLL loads, specifically version.dll or EndpointDlp.dll, within the MpExtMs.exe process tree.
    • Audit for suspicious post-exploitation utility usage, including curl, reg.exe, net.exe, and WMIC.
    • Implement immediate patching of Microsoft Defender components to remediate the quarantine pipeline race condition.

Related posts

  1. datawater.com — Six Microsoft Defender Zero-Days in 90 Days: BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, RoguePlanet — Three Exploited Before Patches, One Still Open Today
  2. SecurityWeek — Microsoft Working on Patch for ‘RoguePlanet’ Zero-Day
  3. SecurityWeek — New ‘Mistic’ RAT Opens Door to Several Ransomware Families
  4. Threatlocker
  5. Socprime
  6. Helpnetsecurity
  7. Malwarebytes
  8. Morphisec
  9. News4Hackers — CISA Warns: Windows BlueHammer Vulnerability Exploited by Ransomware Gangs – Urgent Alert
  10. Vectra
  11. cybelangel.com — Microsoft Defender RoguePlanet Zero-Day: 7 Things to Know
  12. bleepingcomputer.com — Stealthy Mistic backdoor linked to ransomware access broker KongTuke
  13. gbhackers.com — ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
  14. Cybersecurity News — Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection
  15. csoonline.com — Be on the lookout for Mistic, a new backdoor used by ransomware broker
  16. feeds.feedburner.com — New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns
  17. helpnetsecurity.com — Stealthy new backdoor surfaces in attacks on multiple sectors
  18. Security
  19. Isacchain
  20. Radar
  21. Zscaler
  22. Securityaffairs
  23. Cyfirma
  24. Blog
  25. Hackread
  26. Mallory
  27. Radar
  28. bleepingcomputer.com — CISA: Windows BlueHammer flaw now exploited by ransomware gangs
  29. securityweek.com — BlueHammer Vulnerability Exploited in Ransomware Attacks
  30. Reddit
  31. Cyderes
  32. Tomshardware
  33. Thrivenextgen
  34. Automox
  35. Github
  36. Nvd
  37. Reddit
  38. Cisa
  39. Sentinelone
  40. Cve
  41. Rapid7
  42. Youtube
  43. Labs
  44. Fieldeffect
  45. Paubox
  46. Adminbyrequest
  47. Helpnetsecurity
  48. Ground
  49. Buttondown
  50. Rodtrent

LINK COPIED TO CLIPBOARD