Back to Intelligence

Woodgnat Access Broker & GhostShell Supply Chain: Mistic Backdoor, Vidar Stealer, and Middle East C2 Infrastructure

SA
Security Arsenal Team
June 24, 2026
6 min read

Threat Summary

Recent OTX Pulse data reveals a surge in distinct threat activities spanning financial espionage and geopolitical sabotage. We are tracking the Woodgnat threat actor, an initial access broker (IAB) actively deploying the new Mistic backdoor and ModeloRAT since April 2026. Woodgnat is facilitating access for major ransomware operations (Qilin, Black Basta, Akira) through sophisticated sideloading techniques.

Simultaneously, a new threat cluster designated GhostShell is targeting Ukraine's defense sector, specifically the Unmanned Aerial Vehicle (UAV) supply chain. GhostShell utilizes weaponized archives impersonating the manufacturer "Besomar" to deploy the Vidar stealer.

In a separate development, threat intelligence has mapped over 1,350 active C2 servers across the Middle East (primarily hosted on STC infrastructure), utilized by actors like APT28 and Energetic Bear to deploy malware ranging from Sliver and Cobalt Strike to IoT botnets like Mirai and Hajime.

Threat Actor / Malware Profile

Woodgnat (IAB)

  • Objective: Initial access brokering for ransomware affiliates.
  • Malware: Backdoor.Mistic, ModeloRAT, MintsLoader, D3F@ck Loader.
  • Distribution: Social engineering coupled with DLL sideloading to bypass security controls.
  • Persistence: Uses sideloading to execute malicious code under the guise of legitimate signed applications.
  • Targeting: Insurance, Education, and Technology sectors.

GhostShell

  • Objective: Espionage and disruption of defense logistics.
  • Malware: Vidar (Information Stealer).
  • Distribution: Malicious archives (ZIP/RAR) containing decoy documents related to "Besomar" interceptor drones.
  • Technique: Supply chain compromise; relies on user curiosity regarding defense procurement documents to drop the Vidar payload.

IOC Analysis

The provided IOCs cover a broad spectrum of the attack kill-chain:

  • Domains & Hostnames (Woodgnat): Indicators such as mail.authorized-logins.net and update.update-fall.com likely serve as C2 rendezvous points or phishing delivery infrastructure. SOC teams should block these at the perimeter and DNS layers.
  • File Hashes (GhostShell/Woodgnat): Multiple SHA256, MD5, and SHA1 hashes correspond to the malicious payloads (Vidar droppers, Mistic backdoors). These should be loaded into EDR correlation engines for immediate alerting on execution.
  • CVE (Middle East Infrastructure): CVE-2025-11953 is highlighted in the context of the Middle East C2 infrastructure, suggesting a potential vulnerability used for initial access or propagation within the compromised network environments.

Operational Guidance:

  • Tooling: Use YARA rules to scan endpoints for the file hashes. SIEM solutions should ingest the domain IOCs to detect outbound C2 traffic or DNS requests.

Detection Engineering

Detection rules are provided below to identify the specific behaviors of Woodgnat's sideloading, GhostShell's archive decoys, and the exploitation attempts associated with the observed infrastructure.

YAML
title: Potential Woodgnat Sideloading Activity - Mistic Backdoor
id: 6f3a2b1c-8d4e-4a5f-9e10-1b2c3d4e5f6g
description: Detects potential sideloading behavior used by Woodgnat to deploy Mistic backdoor via suspicious DLL loading from non-standard paths.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67891011/
tags:
    - attack.defense_evasion
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\svchost.exe'
            - '\regsvr32.exe'
        CommandLine|contains: '.dll'
    filter_legit:
        ParentImage|contains:
            - '\Windows\System32\'
            - '\Program Files\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software installations
level: high
---
title: GhostShell Supply Chain Attack - Besomar Decoy Execution
id: 7g4h5i6j-7k8l-9m0n-1o2p-3q4r5s6t7u8v
description: Detects execution of processes originating from archives containing filenames impersonating Besomar UAV documents.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/11223344/
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\mshta.exe'
        ParentImage|contains:
            - '\AppData\Local\Temp\'
            - '\Downloads\'
        CommandLine|contains:
            - 'Besomar'
            - 'Interceptor'
            - 'UAV'
            - 'Drone_Spec'
    condition: selection
falsepositives:
    - Legitimate access to defense industry documents
level: critical
---
title: Exploitation Attempt - CVE-2025-11953
id: 8w9x0y1z-2a3b-4c5d-6e7f-8g9h0i1j2k3l
description: Detects potential exploitation attempts associated with the Middle East C2 infrastructure campaign.
status: experimental
date: 2026/06/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/55667788/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: web
    product: apache
    service: access
detection:
    selection_uri:
        UriQuery|contains:
            - '/CVE-2025-11953'
            - 'exploit'
    selection_status:
        StatusCode|startswith:
            - '200'
            - '500'
    condition: all of selection_*
falsepositives:
    - Security scans
level: high


kql
// Hunt for GhostShell Vidar Stealer Hashes and Process Activity
let MaliciousHashes = pack_array(
  "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
  "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
  "b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012"
);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (MaliciousHashes)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| union (
  DeviceNetworkEvents
  | where Timestamp > ago(7d)
  | where RemoteUrl has_any (
      "mail.authorized-logins.net", "mueleer.com", "grande-luna.top", 
      "oeannon.com", "thomphon.com", "human-check.top", "update.update-fall.com"
    )
  | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
)


powershell
# IOC Hunt Script for Woodgnat and GhostShell Activity
# Requires Admin Privileges

Write-Host "[*] Starting Hunt for Woodgnat/GhostShell IOCs..." -ForegroundColor Cyan

# 1. Check for malicious file hashes on system
$TargetHashes = @(
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be"
)

$Drives = Get-PSDrive -PSProvider FileSystem
foreach ($Drive in $Drives) {
    Write-Host "[*] Scanning drive:" $Drive.Root
    Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer } | 
    ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $Hash) {
            Write-Host "[!] MALICIOUS FILE FOUND:" $_.FullName -ForegroundColor Red
        }
    }
}

# 2. Check for suspicious Scheduled Tasks (Persistence Mechanism)
Write-Host "[*] Checking for suspicious scheduled tasks..."
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*powershell*" -or 
    $_.Actions.Execute -like "*rundll32*" 
} | Select-Object TaskName, TaskPath, Actions | Format-Table

# 3. Network Connection Check for Woodgnat Domains
$BadDomains = @(
    "mail.authorized-logins.net", "mueleer.com", "grande-luna.top",
    "oeannon.com", "thomphon.com", "human-check.top"
)

Write-Host "[*] Checking active network connections for C2 domains..."
Get-NetTCPConnection | Select-Object LocalAddress, RemoteAddress, OwningProcess | 
    ForEach-Object {
        $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        if ($Process) {
            $RemoteHostName = Resolve-DnsName -Name $_.RemoteAddress -ErrorAction SilentlyContinue | Select-Object -ExpandProperty NameHost
            if ($BadDomains -contains $RemoteHostName) {
                Write-Host "[!] C2 CONNECTION DETECTED:" $Process.ProcessName "connected to" $RemoteHostName -ForegroundColor Red
            }
        }
    }

Response Priorities

  • Immediate:
    • Block all domain IOCs associated with Woodgnat at the firewall and proxy level.
    • Isolate any endpoints where the GhostShell/Vidar file hashes are detected.
  • 24 Hours:
    • Initiate credential resets for users who may have interacted with the Besomar decoy documents (Vidar stealer compromise).
    • Hunt for evidence of ModeloRAT or MintsLoader in environment logs.
  • 1 Week:
    • Patch systems against CVE-2025-11953 to mitigate the Middle East C2 infrastructure vector.
    • Review email gateway rules to block attachments resembling "Besomar" or UAV specifications.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptwoodgnatmistic-backdoorghostshellvidar-stealermiddle-east-c2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action