Woodgnat Mistic Backdoor, JINX-0164 Crypto Supply Chain, Kimsuky KimJongRAT: OTX Pulse Analysis

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated threats targeting enterprise infrastructure through diverse vectors. The data highlights three distinct campaigns active as of late June 2026:

Woodgnat Campaign: An Initial Access Broker (IAB) deploying the stealthy Mistic backdoor and ModeloRAT using sideloading techniques. This group facilitates access for major ransomware operations (Qilin, Black Basta).
JINX-0164 Campaign: A financially motivated actor targeting the cryptocurrency sector using supply chain compromises (NPM trojans), LinkedIn social engineering, and custom macOS malware (AUDIOFIX, MINIRAT).
Kimsuky Campaign: The North Korean APT group continues evolution of KimJongRAT, leveraging legitimate GitHub infrastructure and MeshAgent for espionage against Japanese targets.

Collectively, these actors demonstrate a shift towards abusing legitimate developer tools (GitHub, NPM) and recruitment platforms (LinkedIn) to establish persistent footholds.

Threat Actor / Malware Profile

Woodgnat / Mistic Backdoor

Actor Profile: Initial Access Broker with ties to multiple ransomware families (Qilin, Akira, 8Base).
Malware: Backdoor.Mistic, ModeloRAT.
Distribution: Sideloading (DLL search order hijacking), social engineering.
Behavior: Establishes stealthy C2 channels, likely used for credential theft and lateral movement before handing off to ransomware crews.

JINX-0164 / AUDIOFIX

Actor Profile: Financially motivated group active since mid-2025, focusing on high-value crypto/tech targets.
Malware: AUDIOFIX (Python Infostealer/RAT), MINIRAT (Go Backdoor).
Distribution: LinkedIn phishing (recruiter persona), compromised NPM packages, CI/CD hijacking.
Behavior: Exfiltrates system data and cryptocurrency keys; utilizes custom macOS payloads.

Kimsuky / KimJongRAT

Actor Profile: North Korean state-sponsored APT (Reaper/APT37).
Malware: KimJongRAT, MeshAgent.
Distribution: Phishing emails with shortened URLs redirecting to GitHub Releases.
Behavior: Remote access, information theft; leverages GitHub for payload hosting to bypass network filters.

IOC Analysis

The provided pulses contain 148 total indicators. Operationalization requires a tiered approach:

Network Infrastructure (Domains/Hostnames/URLs):
- Woodgnat: mail.authorized-logins.net, mueleer.com.
- JINX-0164: driver-updater.net, login.teamicrosoft.com (typosquatting).
- Kimsuky: googleoba.servequake.com, lutkdd.corpsecs.com.
- Action: Block these domains on firewalls and proxies; sinkhole specific URLs for analysis.
File Hashes (SHA256):
- Samples include 3f797a... (Mistic) and b6cab0... (AUDIOFIX).
- Action: Import into EDR quarantine lists and scan historical file logs.
IP Addresses:
- Kimsuky: 104.200.67.46.
- Action: Block inbound/outbound traffic to these IPs.

Detection Engineering

YAML

title: Suspicious DLL Sideloading Pattern - Woodgnat Mistic
description: Detects potential sideloading technique used by Woodgnat to deploy Mistic backdoor via signed binaries loading unsigned DLLs.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667b9f1c9f8c9b7d9c0e9e8f
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 7
        ImageLoaded|endswith:
            - '\mistic.dll'
            - '\modelorat.dll'
        Signed: 'false'
    condition: selection
falsepositives:
    - Legitimate software loading unsigned modules
level: high
tags:
    - attack.defense_evasion
    - attack.t1574.001
---
title: MacOS Python Network Connection - JINX-0164 AUDIOFIX
description: Detects Python processes initiating network connections on macOS, indicative of AUDIOFIX RAT usage.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667b9f1c9f8c9b7d9c0e9e8g
logsource:
    category: network_connection
    product: macos
detection:
    selection:
        Image|endswith: '/python'
        DestinationPort:
            - 443
            - 8080
    filter_main_git:
        DestinationHostname|contains:
            - 'github.com'
            - 'pypi.org'
    condition: selection and not filter_main_git
falsepositives:
    - Legitimate developer scripting
level: high
tags:
    - attack.command_and_control
    - attack.t1071.001
---
title: GitHub Releases Executable Download - Kimsuky Vector
description: Detects processes downloading executables or archives from GitHub Releases, a method used by Kimsuky for KimJongRAT distribution.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667b9f1c9f8c9b7d9c0e9e8h
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith:
            - '\powershell.exe'
            - '\curl.exe'
            - '\wget.exe'
        CommandLine|contains:
            - 'github.com'
            - 'raw.githubusercontent.com'
            - 'releases/download'
    condition: selection
falsepositives:
    - Legitimate software updates via GitHub
level: medium
tags:
    - attack.initial_access
    - attack.t1189


kql
// Hunt for JINX-0164 and Woodgnat C2 traffic
// Looks for connections to suspicious domains and non-standard process-network behavior
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    "mail.authorized-logins.net", 
    "mueleer.com", 
    "driver-updater.net", 
    "login.teamicrosoft.com",
    "googleoba.servequake.com",
    "lutkdd.corpsecs.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemotePort
| extend ThreatIntel = "OTX_Match_Woodgnat_JINX_Kimsuky"
| order by Timestamp desc


powershell
# IOC Hunt Script - Scans for Mistic, AUDIOFIX, and KimJongRAT artifacts
# Requires Admin privileges

$TargetHashes = @(
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", # Mistic
    "b6cab0b3aa8e56c2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", # AUDIOFIX
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470", # KimJongRAT
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"  # KimJongRAT
)

Write-Host "[+] Scanning for file artifacts..." -ForegroundColor Cyan

# Scan C:\ drive for the specific hashes
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $TargetHashes -contains $_.Hash } | ForEach-Object {
    Write-Host "[!] MALICIOUS FILE DETECTED: $($_.Path)" -ForegroundColor Red
    Write-Host "    Hash: $($_.Hash)"
}

Write-Host "[+] Scanning for network connections to suspicious domains..." -ForegroundColor Cyan

$SuspiciousDomains = @(
    "mail.authorized-logins.net", "mueleer.com", "driver-updater.net", 
    "googleoba.servequake.com", "lutkdd.corpsecs.com"
)

Get-NetTCPConnection | Where-Object { 
    $_.State -eq "Established" -and 
    ($SuspiciousDomains -contains (Resolve-DnsName -Name $_.RemoteAddress -ErrorAction SilentlyContinue | Select-Object -ExpandProperty NameHost)) 
} | ForEach-Object {
    Write-Host "[!] SUSPICIOUS CONNECTION: RemoteAddress $($_.RemoteAddress) on Port $($_.RemotePort)" -ForegroundColor Yellow
}

Write-Host "[+] Hunt complete."

Response Priorities

Immediate:
- Block all listed IOCs (Domains, IPs, Hashes) at the perimeter and endpoint level.
- Isolate any endpoints matching the specific file hashes provided in the pulses.
- Hunt for mail.authorized-logins.net and driver-updater.net DNS queries in SIEM logs to identify potential victims.
24 Hours:
- Identity Verification: Given the social engineering and credential-stealing nature (AUDIOFIX, Mistic), force password resets and enable MFA for users in targeted industries (Insurance, Crypto, Tech) who may have interacted with suspicious LinkedIn messages or emails.
- Review GitHub integration logs for unauthorized access or repository forks related to the Kimsuky campaign.
1 Week:
- Supply Chain Hardening: Audit NPM packages and CI/CD pipelines for cryptocurrency and development teams to detect JINX-0164 supply chain injection.
- Application Control: Implement strict signing policies to prevent the sideloading techniques used by the Woodgnat group.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub