Researchers at Zscaler ThreatLabz have uncovered a new, heavily obfuscated backdoor they call MLTBackdoor that is likely being used by a ransomware crew to gain an initial foothold inside victim networks before launching an attack.
First spotted in May 2026, the malware spreads through a "ClickFix" lure, a now common social engineering trick where a web page tells the visitor to copy, paste, and run a command to fix a supposed problem. In this case the lure sat on an automotive themed web page. Victims who ran the command pulled down a payload that quietly installed the backdoor.
How it works
The downloaded archive contains a malicious DLL that decrypts a hidden second stage, which is the MLTBackdoor itself. To stay under the radar, the malware sideloads its DLL through a legitimate, signed Microsoft Defender executable (mpextms.exe), a technique that makes the malicious code look like trusted software. Once running, it can download and upload files and, more powerfully, load Beacon Object Files (BOFs) to add fresh capabilities on demand.
What sets MLTBackdoor apart is how hard its authors worked to defeat analysis. ThreatLabz says roughly 95 percent of its code is filler: meaningless math added through a technique called Mixed Boolean-Arithmetic, layered on top of control flow flattening that scrambles the program's logic. It also uses a domain generation algorithm (DGA), so that if its hardcoded command and control domains are taken down, it can compute fresh ones and keep talking to its operators. You can read the full technical analysis in the original ThreatLabz report.
Why it matters
A backdoor built for stealth and tied to a ransomware-related actor is an early warning sign. Establishing a quiet foothold is usually the step that precedes lateral movement and, eventually, encryption or data theft. Catching MLTBackdoor early gives defenders a chance to act before the ransomware stage.
What you should do
Train users to distrust any web page that instructs them to paste and run a command, the hallmark of ClickFix. Defenders should watch for conhost.exe spawning curl downloads into AppData Temp folders, unexpected sideloading via mpextms.exe, and the indicator below.
Indicators of compromise
- Stage payload URL: hxxps://hrs2y15sungu[.]com/d
- Hardcoded C2 domains: cwrtwright[.]com, carrolc[.]com, thomphon[.]com
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.