Microsoft Defender: RoguePlanet Zero-Day CVE-2026-50656 and Woodgnat Exploitation
The 'Woodgnat' threat actor (KongTuke) is leveraging a critical race condition in the Microsoft Defender quarantine pipeline (CVE-2026-50656) to facilitate local privilege escalation (LPE) to SYSTEM on Windows 10 and 11. The attack chain initiates with 'ClickFix' social engineering, followed by DLL sideloading via the legitimate MpExtMs.exe binary. This enables the deployment of the 'Mistic' backdoor (utilizing EndpointDlp.dll) and the 'ModeloRAT' Python-based Trojan. This sophisticated access is subsequently auctioned to high-impact ransomware groups such as Qilin, Akira, and Black Basta, presenting a significant risk to Insurance, Education, and IT service sectors through high-durability, privileged persistence.
-
Campaign Overview: Woodgnat Initial Access
- Employs 'ClickFix' social engineering tactics, specifically utilizing fake CAPTCHAs and Microsoft Teams impersonation.
- Operates as a sophisticated Initial Access Broker (IAB) to establish long-term footholds.
- Targets high-value verticals including Insurance, Education, and IT/Professional Services.
-
Vulnerability Deep Dive: CVE-2026-50656
- Identifies a critical race condition residing within the Microsoft Defender quarantine pipeline.
- Facilitates Local Privilege Escalation (LPE) to SYSTEM-level access on both Windows 10 and 11.
- Provides a reliable method for attackers to bypass security boundaries on fully patched operating systems.
-
Malware Analysis: Mistic & ModeloRAT
- Deploys the 'Mistic' (MLTBackdoor) via DLL sideloading using
MpExtMs.exe,version.dll, andEndpointDlp.dll. - Mistic capabilities include in-memory execution, C2 communication, credential theft, and file manipulation.
- Utilizes 'ModeloRAT', a Python-based Remote Access Trojan, for secondary command and control.
- Deploys the 'Mistic' (MLTBackdoor) via DLL sideloading using
-
Threat Ecosystem & Impact
- Access brokered by Woodgnat is sold to major ransomware affiliates to maximize extortion potential.
- Primary associated groups include Qilin, Akira, and Black Basta.
- Secondary affiliated groups identified include Interlock, Rhysida, and 8Base.
-
Detection & Mitigation Strategies
- Monitor for anomalous DLL loads, specifically
version.dllorEndpointDlp.dll, within theMpExtMs.exeprocess tree. - Audit for suspicious post-exploitation utility usage, including
curl,reg.exe,net.exe, andWMIC. - Implement immediate patching of Microsoft Defender components to remediate the quarantine pipeline race condition.
- Monitor for anomalous DLL loads, specifically
Related posts
- datawater.com — Six Microsoft Defender Zero-Days in 90 Days: BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, RoguePlanet — Three Exploited Before Patches, One Still Open Today
- SecurityWeek — Microsoft Working on Patch for ‘RoguePlanet’ Zero-Day
- SecurityWeek — New ‘Mistic’ RAT Opens Door to Several Ransomware Families
- Threatlocker
- Socprime
- Helpnetsecurity
- Malwarebytes
- Morphisec
- News4Hackers — CISA Warns: Windows BlueHammer Vulnerability Exploited by Ransomware Gangs – Urgent Alert
- Vectra
- cybelangel.com — Microsoft Defender RoguePlanet Zero-Day: 7 Things to Know
- bleepingcomputer.com — Stealthy Mistic backdoor linked to ransomware access broker KongTuke
- gbhackers.com — ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
- Cybersecurity News — Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection
- csoonline.com — Be on the lookout for Mistic, a new backdoor used by ransomware broker
- feeds.feedburner.com — New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns
- helpnetsecurity.com — Stealthy new backdoor surfaces in attacks on multiple sectors
- Security
- Isacchain
- Radar
- Zscaler
- Securityaffairs
- Cyfirma
- Blog
- Hackread
- Mallory
- Radar
- bleepingcomputer.com — CISA: Windows BlueHammer flaw now exploited by ransomware gangs
- securityweek.com — BlueHammer Vulnerability Exploited in Ransomware Attacks
- Cyderes
- Tomshardware
- Thrivenextgen
- Automox
- Github
- Nvd
- Cisa
- Sentinelone
- Cve
- Rapid7
- Youtube
- Labs
- Fieldeffect
- Paubox
- Adminbyrequest
- Helpnetsecurity
- Ground
- Buttondown
- Rodtrent