Back to Intelligence

Woodgnat IAB Operations & GhostShell UAV Attacks: Mistic Backdoor and Vidar Stealer Analysis

SA
Security Arsenal Team
June 25, 2026
5 min read

Threat Summary

Recent OTX pulse data reveals a convergence of high-risk cybercriminal and nation-state activity. We are tracking two distinct but equally concerning campaigns:

  1. Woodgnat Access Brokering: An aggressive Initial Access Broker (IAB) campaign leveraging the new Mistic backdoor and ModeloRAT. Woodgnat is actively facilitating access for major ransomware operations (Qilin, Black Basta, Akira) through sideloading techniques and social engineering, targeting Insurance, Education, and Technology sectors.

  2. GhostShell Supply Chain Attack: A newly identified threat actor targeting Ukraine's defense sector, specifically the UAV supply chain. Using Besomar-themed lures, GhostShell deploys the Vidar stealer via malicious archives to compromise procurement networks.

Simultaneously, intelligence from the Middle East indicates a massive scaling of C2 infrastructure (1,350+ servers) attributed to actors like APT28 and Energetic Bear, heavily hosted on Saudi infrastructure (STC), signaling an escalation in offensive capabilities.

Threat Actor / Malware Profile

Woodgnat (IAB)

  • Objectives: Establish initial persistence for sale to ransomware affiliates.
  • Malware:
    • Mistic Backdoor: A stealthy backdoor first observed in April 2026. Uses DLL sideloading to evade detection.
    • ModeloRAT: A remote access trojan developed by Woodgnat, often deployed alongside Mistic.
  • Distribution: Social engineering coupled with sideloading (DLL Search Order Hijacking).
  • Persistence: Likely via scheduled tasks or registry run keys established by the loaders (MintsLoader, D3F@ck Loader).

GhostShell

  • Objectives: Cyber espionage and disruption of defense logistics (UAV supply chain).
  • Malware:
    • Vidar: An information stealer capable of harvesting credentials, cryptocurrency wallets, and system information.
  • Distribution: Malicious archive files (ZIP/RAR) containing decoy documents impersonating "Besomar", a Ukrainian interceptor drone manufacturer.
  • Techniques: Spear-phishing with weaponized attachments.

IOC Analysis

The provided pulses offer high-fidelity indicators for immediate detection:

  • Network IOCs (Woodgnat): Domains such as mail.authorized-logins.net, grande-luna.top, and human-check.top serve as C2 infrastructure. SOC teams should block these at the perimeter and inspect DNS logs for historical queries.
  • File IOCs (GhostShell/Vidar): Multiple hashes (MD5, SHA1, SHA256) are associated with the Vidar payload and malicious droppers. These should be added to EDR allowlist blocklists and used for retro-hunting in VDI and backup storage.
  • Vulnerability (Middle East): The pulse references CVE-2025-11953. While specific details are classified in this brief, vulnerability management teams must prioritize patching for this ID immediately given its association with massive C2 deployment.

Detection Engineering

YAML
---
title: Potential Woodgnat C2 Communication
description: Detects network connections to known Woodgnat Mistic/ModeloRAT C2 domains identified in OTX Pulse.
author: Security Arsenal
status: stable
date: 2026/06/25
references:
    - https://otx.alienvault.com/pulse/667a4b3f8f62b2d6e8b0c1e2
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'authorized-logins.net'
            - 'grande-luna.top'
            - 'human-check.top'
            - 'update-fall.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Suspicious Process Execution from Archive
description: Detects execution of scripts or binaries directly from archive extraction paths, indicative of GhostShell Vidar delivery.
author: Security Arsenal
status: stable
date: 2026/06/25
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\WinRAR.exe'
            - '\7zFM.exe'
            - '\Bandizip.exe'
        Image|endswith:
            - '.exe'
            - '.dll'
            - '.bat'
            - '.ps1'
        CommandLine|contains:
            - 'Temp'
            - 'AppData\Local\Temp'
    condition: selection
falsepositives:
    - Legitimate software installation via archives
level: high
---
title: Potential DLL Side-loading (Mistic/ModeloRAT)
description: Detects suspicious signed binaries loading unsigned DLLs from the current directory, a technique used by Mistic backdoor.
author: Security Arsenal
status: stable
date: 2026/06/25
tags:
    - attack.defense_evasion
    - attack.t1574.001
logsource:
    category: image_load
product: windows
detection:
    selection:
        Image|endswith:
            - '.exe'
            - '.dll'
        Signed: 'true'
        ImageLoaded|endswith: '.dll'
        SignatureStatus: 'Valid'
    filter:
        ImageLoaded|contains:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not filter
falsepositives:
    - Legitimate applications loading plugins from local directory
level: medium


kql
// Hunt for GhostShell Vidar File Hashes (SHA256)
DeviceFileEvents
| where SHA256 in (
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
    "b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for Woodgnat C2 Domain Connections
DeviceNetworkEvents
| where RemoteUrl in (
    "mail.authorized-logins.net",
    "grande-luna.top",
    "oeannon.com",
    "thomphon.com",
    "human-check.top"
)
| project Timestamp, DeviceName, RemoteUrl, RemotePort, InitiatingProcessFileName


powershell
# PowerShell Hunt Script: GhostShell Vidar Artifact Scanner
# Checks for specific file hashes present in the OTX Pulse

$TargetHashes = @(
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
    "b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012",
    "16a59e1fece21ca5394a8ec9ea596fec", # MD5
    "6da30ad8677b058fad4d3d3031a428ec", # MD5
    "d0a66dd44ee64b76de79cddab13d2745"  # MD5
)

Write-Host "[+] Scanning for GhostShell Vidar IOCs..." -ForegroundColor Cyan

# Scan User Profiles and Temp directories
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop", "$env:TEMP")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "[?] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            $FileHashMD5 = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            
            if ($TargetHashes -contains $FileHash -or $TargetHashes -contains $FileHashMD5) {
                Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $FileHash" -ForegroundColor Red
            }
        }
    }
}
Write-Host "[+] Scan Complete." -ForegroundColor Green

Response Priorities

Immediate (0-4 hours)

  • Block IOCs: Push the Woodgnat C2 domains (authorized-logins.net, grande-luna.top, etc.) to DNS Firewalls and Proxies.
  • Artifact Hunting: Run the PowerShell script on endpoints in high-risk sectors (Defense, Insurance) to detect GhostShell/Vidar presence.
  • Quarantine: Isolate devices returning hits on the provided SHA256 hashes.

24 Hours

  • Credential Reset: If Vidar (GhostShell campaign) is detected, force a password reset for all cached credentials on affected systems, as Vidar is a credential stealer.
  • Vulnerability Scan: Initiate scans for CVE-2025-11953 across the external attack surface, specifically targeting energy and government sectors if applicable.

1 Week

  • Architecture Review: Review email filtering rules to block attachments commonly used for malicious archives (e.g., nested ZIP files, macros).
  • Sideloading Hardening: Implement application allowlisting (AppLocker) to prevent unsigned DLLs from loading in directories writable by non-admins, mitigating the Mistic backdoor vector.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptwoodgnatmodeloratvidarghostshellmistic-backdoor

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.