Recent OTX pulse data reveals a concerning convergence of sophisticated threat activities targeting multiple sectors globally. Three distinct campaigns have been identified, each employing advanced techniques tailored to their specific objectives:
-
Woodgnat Campaign: An initial access broker has deployed a stealthy backdoor called "Mistic" since April 2026, primarily targeting insurance, education, and technology sectors. Woodgnat has established connections to multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The campaign utilizes sideloading techniques to deliver the Mistic backdoor, often in conjunction with ModeloRAT, a tool developed by Woodgnat.
-
Middle East Infrastructure Surge: Between February and May 2026, a massive infrastructure campaign deployed over 1,350 active command-and-control servers across 98 providers in 14 Middle Eastern countries. This activity involves multiple state-aligned actors including Eagle Werewolf, ENERGETIC BEAR, Velvet Tempest, APT28, and GrayCharlie. Notably, Saudi Arabia's STC hosted 981 C2 servers (72.4% of regional infrastructure), making it the largest concentration of malicious infrastructure globally.
-
GhostShell UAV Supply Chain Attacks: A newly identified threat group designated as GhostShell has been conducting targeted cyber operations against Ukraine's unmanned aerial vehicle supply chain since February 2026. The attackers employ malicious archives containing decoy documents impersonating Besomar, a Ukrainian manufacturer of high-precision interceptor drones, to compromise defense and procurement networks.
These campaigns collectively demonstrate how threat actors are adapting their techniques to specific targets, with supply chain attacks, credential harvesting, and C2 infrastructure expansion forming the core of their operations.
Threat Actor / Malware Profile
Woodgnat & Mistic Backdoor
Distribution Method: Woodgnat employs sophisticated social engineering campaigns combined with sideloading techniques to deliver the Mistic backdoor. The distribution often involves phishing emails with malicious attachments or links to compromised domains.
Payload Behavior: Mistic functions as a stealthy backdoor that establishes persistence on infected systems and maintains C2 communications with attacker-controlled infrastructure. It is frequently deployed alongside ModeloRAT, which provides additional remote access capabilities.
C2 Communication: The backdoor communicates with multiple C2 domains including mail.authorized-logins.net, mueleer.com, grande-luna.top, oeannon.com, thomphon.com, human-check.top, and update.update-fall.com.
Persistence Mechanism: Mistic utilizes sideloading techniques to maintain persistence, often masquerading as legitimate system components to evade detection.
Anti-Analysis Techniques: The backdoor employs multiple evasion techniques including anti-debugging measures and obfuscation to complicate analysis and detection.
GhostShell & Vidar
Distribution Method: GhostShell distributes malware through malicious archive files containing decoy documents impersonating legitimate UAV manufacturer Besomar. These archives are likely delivered via spearphishing campaigns targeting defense and procurement networks.
Payload Behavior: The Vidar malware used by GhostShell functions as an information stealer, capable of harvesting credentials, system information, and other sensitive data from compromised systems.
C2 Communication: Vidar establishes communication with attacker-controlled infrastructure to exfiltrate stolen data and receive additional commands.
Persistence Mechanism: Vidar maintains persistence through various mechanisms, likely including scheduled tasks and registry modifications.
Anti-Analysis Techniques: Vidar employs code obfuscation and potential anti-VM techniques to evade analysis environments.
Related Malware Families
The pulses reference additional malware families including:
- ModeloRAT: A remote access tool developed by Woodgnat, frequently deployed alongside Mistic
- GateKeeper: Malicious software used by Woodgnat in their operations
- NexShield: A tool used by Woodgnat, possibly for evasion or persistence
- MintsLoader: A loader malware used by Woodgnat to deploy additional payloads
- D3F@ck Loader: Another loader component in Woodgnat's toolkit
- Vidar: Information stealer used by GhostShell in their UAV supply chain attacks
IOC Analysis
The provided IOCs offer valuable detection opportunities across multiple data domains:
Hostnames/Domains: Multiple C2 domains associated with Mistic backdoor operations provide network-level detection opportunities. These should be added to DNS blocklists and monitored for DNS resolution attempts.
File Hashes: Both SHA256 and MD5 hashes of malicious files are provided for both Mistic and Vidar malware families. These can be integrated into endpoint detection systems and file scanning solutions.
CVE Reference: CVE-2025-11953 is mentioned in the Middle East infrastructure pulse, indicating a potential vulnerability exploited in those campaigns. Patch management systems should prioritize remediation of this vulnerability.
Operationalization: SOC teams should implement these IOCs through:
- SIEM correlation rules for DNS queries to known malicious domains
- EDR endpoint telemetry for file hash matches
- Firewall rules blocking outbound connections to C2 infrastructure
- Threat hunting procedures to scan historical data for previously undetected activity
Tooling: Analysis of these indicators can be enhanced using:
- VirusTotal for malware analysis
- Hybrid Analysis for dynamic malware behavior
- ANY.RUN for interactive sandboxing
- ThreatConnect for IOC management
- MISP for threat intelligence sharing
Detection Engineering
Sigma Rules
---
title: Potential Mistic Backdoor Activity via DNS
id: a8f7e3c2-1a9d-4b8e-9c3d-5e7f8a1b2c3d
description: Detects DNS queries to known Mistic backdoor C2 domains
author: Security Arsenal
date: 2026/06/24
references:
- https://otx.alienvault.com/pulse/6677a5c3e0f990670d4e05e0
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: dns
detection:
selection:
query|contains:
- 'authorized-logins.net'
- 'mueleer.com'
- 'grande-luna.top'
- 'oeannon.com'
- 'thomphon.com'
- 'human-check.top'
- 'update-fall.com'
condition: selection
falsepositives:
- Legitimate domain access (unlikely for these specific domains)
level: high
---
title: Suspicious Archive Execution with Besomar References
id: b9f8e4d3-2b0e-5c9f-0d4e-6f8a9b2c3d4e
description: Detects potential GhostShell UAV supply chain attack vectors
author: Security Arsenal
date: 2026/06/24
references:
- https://otx.alienvault.com/pulse/6677a5c3e0f990670d4e05e0
tags:
- attack.initial_access
- attack.t1566.001
- attack.t1204.002
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\\winrar.exe'
- '\\7z.exe'
- '\\winzip.exe'
CommandLine|contains:
- 'Besomar'
- 'drone'
- 'interceptor'
- 'UAV'
condition: selection
falsepositives:
- Legitimate archive handling with similar content
level: high
---
title: Potential Sideloading Execution Pattern
id: c0a9f5e4-3c1f-6d0g-1e5f-7a9b0c3d4e5f
description: Detects potential sideloading technique used by Woodgnat for Mistic deployment
author: Security Arsenal
date: 2026/06/24
references:
- https://otx.alienvault.com/pulse/6677a5c3e0f990670d4e05e0
tags:
- attack.defense_evasion
- attack.t1574.002
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'rundll32.exe'
- 'regsvr32.exe'
- 'svchost.exe'
CommandLine|contains:
- '.dll'
- 'control.dll'
- 'windowscodecs.dll'
condition: selection
falsepositives:
- Legitimate DLL loading by system processes
level: medium
KQL Hunt Queries
// Hunt for Mistic backdoor C2 communications
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (
"authorized-logins.net", "mueleer.com", "grande-luna.top",
"oeannon.com", "thomphon.com", "human-check.top", "update-fall.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName,
InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend Domain = tostring(split(RemoteUrl, "/")[0])
| summarize count() by Domain, DeviceName, bin(Timestamp, 1d)
| order by count_ desc
// Hunt for suspicious archive executions with Besomar references
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("winrar.exe", "7z.exe", "winzip.exe")
| where ProcessCommandLine has_any ("Besomar", "drone", "interceptor", "UAV")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
// Hunt for potential sideloading activity
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "svchost.exe")
| where ProcessCommandLine contains ".dll"
| where ProcessCommandLine has_any ("control.dll", "windowscodecs.dll")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
PowerShell IOC Hunt Script
# Script to hunt for Mistic Backdoor and Vidar malware indicators
# Requires administrative privileges
Write-Host "Starting hunt for Mistic Backdoor and Vidar malware indicators..." -ForegroundColor Cyan
# Known Mistic C2 domains
$misticDomains = @(
"authorized-logins.net",
"mueleer.com",
"grande-luna.top",
"oeannon.com",
"thomphon.com",
"human-check.top",
"update-fall.com"
)
# Check DNS cache for Mistic C2 domains
Write-Host "Checking DNS cache for Mistic backdoor C2 domains..." -ForegroundColor Yellow
$dnsResults = Get-DnsClientCache | Where-Object {
$misticDomains -contains $_.Entry
}
if ($dnsResults) {
Write-Host "Found DNS cache entries for Mistic C2 domains:" -ForegroundColor Red
$dnsResults | Format-Table Entry, Data, Type, Status
} else {
Write-Host "No DNS cache entries found for Mistic C2 domains." -ForegroundColor Green
}
# Check for processes with suspicious DLL loading
Write-Host "Checking for suspicious process behavior..." -ForegroundColor Yellow
$suspiciousProcesses = Get-Process | Where-Object {
$_.ProcessName -in @("rundll32", "regsvr32", "svchost")
} | ForEach-Object {
$process = $_
try {
$modules = $process.Modules
foreach ($module in $modules) {
if ($module.FileName -match "(control|windowscodecs).dll" -and
$module.FileName -notmatch "C:\\Windows\\System32") {
return [PSCustomObject]@{
ProcessName = $process.ProcessName
PID = $process.Id
Module = $module.FileName
BaseAddress = $module.BaseAddress
}
}
}
} catch {
# Ignore access denied errors
}
}
if ($suspiciousProcesses) {
Write-Host "Found suspicious process behavior:" -ForegroundColor Red
$suspiciousProcesses | Format-Table ProcessName, PID, Module, BaseAddress
} else {
Write-Host "No suspicious process behavior detected." -ForegroundColor Green
}
# Check for files matching known malware hashes
Write-Host "Checking for files matching known malware hashes..." -ForegroundColor Yellow
# Mistic backdoor hashes
$misticHashes = @(
"3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be"
)
# Vidar malware hashes
$vidarHashes = @(
"ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
"8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
"b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012",
"16a59e1fece21ca5394a8ec9ea596fec",
"6da30ad8677b058fad4d3d3031a428ec",
"d0a66dd44ee64b76de79cddab13d2745",
"4b5f407f5966f49f8c1005a94a822c83b20fa325",
"52a1b02e4fe0998069c777bec37eb394781e8fda"
)
$knownMaliciousFiles = @()
# Search for files with Mistic hashes
foreach ($hash in $misticHashes) {
$files = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
try {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
if ($fileHash -eq $hash) {
return $_
}
} catch {
# Ignore files that can't be accessed
}
}
if ($files) { $knownMaliciousFiles += $files }
}
# Search for files with Vidar hashes (SHA256)
foreach ($hash in $vidarHashes[0..2]) {
$files = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
try {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
if ($fileHash -eq $hash) {
return $_
}
} catch {
# Ignore files that can't be accessed
}
}
if ($files) { $knownMaliciousFiles += $files }
}
# Search for files with Vidar hashes (MD5)
foreach ($hash in $vidarHashes[3..5]) {
$files = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
try {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction Stop).Hash
if ($fileHash -eq $hash) {
return $_
}
} catch {
# Ignore files that can't be accessed
}
}
if ($files) { $knownMaliciousFiles += $files }
}
# Search for files with Vidar hashes (SHA1)
foreach ($hash in $vidarHashes[6..7]) {
$files = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
try {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA1 -ErrorAction Stop).Hash
if ($fileHash -eq $hash) {
return $_
}
} catch {
# Ignore files that can't be accessed
}
}
if ($files) { $knownMaliciousFiles += $files }
}
if ($knownMaliciousFiles) {
Write-Host "Found files matching known malware hashes:" -ForegroundColor Red
$knownMaliciousFiles | Format-Table FullName, Length, LastWriteTime
} else {
Write-Host "No files matching known malware hashes detected." -ForegroundColor Green
}
# Check for scheduled tasks with suspicious characteristics
Write-Host "Checking for suspicious scheduled tasks..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Actions.Execute -match "(rundll32|regsvr32|powershell)" -and
$_.Actions.Arguments -match ".dll"
}
if ($suspiciousTasks) {
Write-Host "Found suspicious scheduled tasks:" -ForegroundColor Red
$suspiciousTasks | Format-Table TaskName, TaskPath, State, @{Name="Execute";Expression={$_.Actions.Execute}}, @{Name="Arguments";Expression={$_.Actions.Arguments}}
} else {
Write-Host "No suspicious scheduled tasks detected." -ForegroundColor Green
}
Write-Host "Hunt completed." -ForegroundColor Cyan
Response Priorities
Immediate Actions (0-24 hours)
-
Block Network Indicators: Immediately add all Mistic C2 domains and identified Middle East C2 infrastructure to network blocklists across firewalls, DNS resolvers, and proxy servers.
-
Endpoint Scans: Deploy the PowerShell IOC hunt script across endpoints to identify potential compromise indicators related to Mistic, Vidar, and associated malware families.
-
Vulnerability Patching: Prioritize patching CVE-2025-11953 across all systems, particularly those in the energy, government, and defense sectors.
-
Alert Tuning: Implement the provided Sigma rules and KQL queries in SIEM/EDR systems to generate alerts for potential threat activity.
-
Sector-Specific Notifications: For organizations in targeted industries (insurance, education, technology, energy, government, defense), elevate monitoring and ensure executive awareness.
24-Hour Priorities
-
Identity Verification: Since credential-stealing malware is involved (Vidar), implement enhanced authentication monitoring and consider forcing password resets for accounts with suspicious activity patterns.
-
Supply Chain Assessment: For defense contractors and organizations in the UAV supply chain, review third-party access and implement additional monitoring for Besomar-themed lures.
-
Threat Hunting Expansion: Extend hunting activities to include historical data analysis (30-90 days) to identify potential undetected activity from these campaigns.
-
User Awareness: Launch targeted security awareness campaigns focusing on the social engineering techniques used by Woodgnat and GhostShell.
-
Incident Response Preparation: Update incident response playbooks to include specific containment and eradication procedures for Mistic backdoor and Vidar malware.
1-Week Priorities
-
Architecture Hardening: Implement zero-trust network segmentation to limit lateral movement capabilities, particularly for organizations in the targeted sectors.
-
Endpoint Hardening: Deploy application control policies to restrict execution of unauthorized binaries and prevent sideloading techniques.
-
Supply Chain Security: Establish enhanced vendor risk management protocols for defense sector organizations to address UAV supply chain vulnerabilities.
-
Threat Intelligence Integration: Automate IOC consumption and threat intelligence sharing to ensure rapid detection of future campaigns by these actors.
-
Tabletop Exercises: Conduct scenario-based exercises simulating responses to Mistic backdoor infections and UAV supply chain attacks to validate response capabilities.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.