Platform
Arbis AI
Solutions
About
Book a Demo
Dropdown

MLTBackdoor: ClickFix to Ransomware Foothold

Amber | Attack
Download Now
MLTBackdoor: ClickFix to Ransomware Foothold | Threat Advisory TA2026163
HiveForce Labs  ·  Threat Advisory  ·  Attack Report  · 

MLTBackdoor: ClickFix to Ransomware Foothold

A newly identified post-exploitation backdoor, MLTBackdoor, is being deployed by a likely ransomware-linked threat actor via a multi-stage ClickFix social engineering chain. The malware sideloads through a legitimate Microsoft Defender binary, uses RC4-encrypted payloads, a date-based Domain Generation Algorithm for resilient C2 communications, and a built-in Beacon Object File (BOF) loader for fileless in-memory post-exploitation — targeting Windows systems globally.

⚠ Threat Level: Amber Malware: MLTBackdoor Attack Type: ClickFix · DLL Sideload · BOF Platform: Windows Scope: Worldwide First Seen: 2026 Admiralty Code: A1 Published: June 11, 2026
TA Number
TA2026163
First Seen
2026
Threat Level
Amber
Target Platform
Windows
Target Regions
Worldwide
Malware Family
MLTBackdoor
C2 Protocol
TLS / Port 443
Encryption
RC4 · AES-256-GCM
Admiralty Code
A1
01 — Overview

Summary

MLTBackdoor is a sophisticated post-exploitation malware family first identified in 2026, believed to be operated by a ransomware-linked threat actor targeting Windows systems on a global scale. The malware is notable for its multi-stage ClickFix infection chain, heavy anti-analysis capabilities, and a built-in Beacon Object File (BOF) loader that enables fileless, in-memory execution of additional post-exploitation modules — a hallmark of ransomware pre-staging operations.

The MLTBackdoor infection chain begins with a social engineering lure hosted on an automotive-themed website. Victims are deceived into manually copying and pasting malicious commands, which triggers a headless conhost.exe process. This process downloads a compressed archive from a domain generated by a daily Domain Generation Algorithm (DGA), decrypts an RC4-encrypted payload (data.bin), and sideloads the backdoor through the legitimate, signed Microsoft Defender executable mpextms.exe — a sophisticated DLL sideloading technique designed to evade detection.

Once active, MLTBackdoor communicates with its command-and-control (C2) server over TLS on port 443, disguising traffic as legitimate Microsoft telemetry using the Microsoft-DeliveryOptimization/10.1 User-Agent. It employs ECDH key exchange and AES-256-GCM encryption, with a date-based DGA generating fresh C2 domains daily to maintain resilient infrastructure. The malware's BOF loader capability allows ransomware-linked operators to deploy custom modules directly in memory, leaving minimal forensic artifacts on disk.

02 — Attack Details

Attack Details

The MLTBackdoor attack chain unfolds across five distinct stages, combining social engineering, encrypted payload delivery, DLL sideloading, and in-memory execution to establish a persistent, stealthy ransomware foothold on Windows systems.

#1
Social Engineering via ClickFix — No Software Exploit Required
MLTBackdoor is delivered entirely through user interaction rather than a software vulnerability. The malware relies on social engineering via a ClickFix lure, demonstrating how ransomware-linked threat actors continue to exploit human behavior for initial access to Windows environments. The absence of a CVE-based exploit makes conventional patch-based defenses insufficient.
#2
ClickFix Infection Chain — DGA Delivery & DLL Execution
The infection originates on an automotive-themed website hosting the ClickFix lure. Victims are tricked into copying and executing malicious content, which spawns a headless conhost.exe process. This process creates a temporary directory, retrieves a compressed archive from a DGA-generated domain, extracts data.bin and endpointdlp.dll, and executes the malicious DLL via rundll32. The DLL acts as a first-stage loader for the MLTBackdoor payload.
#3
RC4 Decryption, Self-Update & DLL Sideloading via mpextms.exe
endpointdlp.dll decrypts the RC4-encrypted data.bin to deploy MLTBackdoor. The malware performs a self-update, then disguises itself by sideloading through the legitimate, signed Microsoft Defender binary mpextms.exe. To defeat analysis, it employs Mixed Boolean-Arithmetic (MBA) and Control Flow Flattening (CFF) obfuscation, dynamically resolves APIs and system calls using DJB2 hashing, and leverages Hell's Gate-style indirect syscalls to bypass user-mode API hooks and evade security monitoring.
#4
Anti-Analysis Evasion & BOF Loader for In-Memory Post-Exploitation
MLTBackdoor incorporates extensive anti-analysis routines that check for virtual machines, debuggers, sandbox artifacts, low-memory environments, and other analysis system indicators. Uniquely, rather than halting upon detection, it reports these findings back to its C2 server. Its most significant capability is a built-in Beacon Object File (BOF) loader, enabling operators to execute custom post-exploitation modules entirely in memory — without writing files to disk — a technique directly consistent with ransomware pre-staging and lateral movement operations.
#5
Encrypted C2 Communications — DGA Resilience & Microsoft Telemetry Masquerade
MLTBackdoor communicates with its C2 infrastructure via a custom encrypted protocol over TLS on port 443, masquerading as Microsoft telemetry traffic using the Microsoft-DeliveryOptimization/10.1 User-Agent and the fixed URL path /api/v1/telemetry. Communications are secured with ECDH key exchange and AES-256-GCM encryption. A date-based DGA generates fresh domains daily to ensure C2 continuity if primary infrastructure is disrupted. In one observed case, the same DGA domain served both as a malware delivery endpoint and a C2 channel, highlighting the tightly integrated and resilient nature of MLTBackdoor's infrastructure.
03 — Mitigations

Recommendations

Security teams should implement the following prioritized mitigations to detect, disrupt, and prevent MLTBackdoor infections and ClickFix-based ransomware delivery chains across Windows environments.

01
Block Known MLTBackdoor Indicators Immediately
Immediately block all SHA256 hashes, C2 domains, and the update URL identified in the Indicators of Compromise section across endpoint, network, and DNS controls. This stops active beaconing and halts payload retrieval from MLTBackdoor-associated infrastructure.
02
Disrupt ClickFix Social Engineering at the User Layer
Educate users that legitimate websites never require copying and pasting commands into the Windows Run dialog or a terminal. Deploy technical controls that flag or block clipboard-to-shell execution patterns. Treat any clipboard-initiated shell execution as a high-risk behavior warranting immediate investigation.
03
Monitor for DLL Sideloading Abuse via Microsoft Defender Binaries
Watch specifically for mpextms.exe sideloading a DLL named endpointdlp.dll. Broaden monitoring to detect any trusted Microsoft Defender binaries loading DLLs from user-writable or temporary directories — a strong indicator of DLL sideloading abuse characteristic of MLTBackdoor's execution technique.
04
Inspect Outbound TLS Traffic on Port 443 for MLTBackdoor C2 Patterns
Flag TLS connections to the fixed URL path /api/v1/telemetry and outbound requests using the Microsoft-DeliveryOptimization/10.1 User-Agent to atypical or newly registered domains. MLTBackdoor specifically uses these patterns to disguise malicious C2 traffic as legitimate Microsoft telemetry.
05
Counter the Domain Generation Algorithm with Proactive DGA Detection
Because the MLTBackdoor DGA generates a new C2 domain daily, static domain blocklists alone are insufficient. Supplement with detection logic for newly registered and algorithmically generated domains. Integrate the published DGA tooling into proactive blocking workflows where operationally feasible to stay ahead of the daily rotation.
06
Prioritize Kernel-Level & ETW-Based Detection Over API Hooking
Since MLTBackdoor uses Hell's Gate-style indirect system calls to bypass user-mode API hooks, endpoint detection that relies solely on inline API hooking will be ineffective. Prioritize kernel-level telemetry, ETW (Event Tracing for Windows)-based detection, and behavioral analytics to surface MLTBackdoor's evasive execution patterns despite its active evasion techniques.
04 — Threat Intelligence

Indicators of Compromise (IoCs)

The following indicators are associated with MLTBackdoor infrastructure, payload delivery, and C2 communications. Block these across endpoint, network, and DNS controls immediately.

Type Value
SHA256 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984
46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93
9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66
ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec
1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf
2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494
d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b
Domains hrs2y15sungu[.]com
carrolc[.]com
cwrtwright[.]com
thomphon[.]com
URL hxxps[:]//powwowski[.]com/payloads/update[.]zip
05 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

The following MITRE ATT&CK tactics, techniques, and sub-techniques have been identified in association with the MLTBackdoor ClickFix ransomware foothold campaign.

Tactic Technique ID Sub-technique ID Description
Initial Access T1566 Phishing — ClickFix lure on automotive-themed website delivers initial infection
Execution T1204 T1204.001 — Malicious Link User Execution — victim manually copies and executes malicious clipboard content
Execution T1059 T1059.003 — Windows Command Shell Command and Scripting Interpreter — headless conhost.exe and rundll32 used to execute the DLL payload
Execution T1106 Native API — direct system calls used via Hell's Gate-style indirect syscalls
Defense Evasion T1574 T1574.001 — DLL Hijack Execution Flow — endpointdlp.dll sideloaded via legitimate signed mpextms.exe Microsoft Defender binary
Defense Evasion T1027 T1027.007 — Dynamic API Resolution Obfuscated Files or Information — MBA, Control Flow Flattening, and DJB2-based dynamic API resolution used to hinder analysis
Defense Evasion T1106 Native API — indirect syscalls bypass user-mode security hooks
Defense Evasion T1497 Virtualization/Sandbox Evasion — checks for VM, sandbox, and low-memory indicators; results reported to C2
Defense Evasion T1622 Debugger Evasion — active anti-debugging routines deployed to hinder reverse engineering
Defense Evasion T1620 Reflective Code Loading — BOF loader executes post-exploitation modules in memory without touching disk
C2 T1071 T1071.001 — Web Protocols Application Layer Protocol — C2 traffic sent over TLS port 443 masquerading as Microsoft telemetry
C2 T1573 T1573.002 — Asymmetric Cryptography Encrypted Channel — ECDH key exchange used to establish encrypted C2 sessions
C2 T1573 T1573.001 — Symmetric Cryptography Encrypted Channel — AES-256-GCM symmetric encryption used for C2 payload confidentiality
C2 T1568 T1568.002 — Domain Generation Algorithms Dynamic Resolution — date-based DGA generates daily C2 domains; same DGA domain observed for both delivery and C2
C2 T1105 Ingress Tool Transfer — compressed payload archive downloaded from DGA-generated delivery domains
Discovery T1057 Process Discovery — malware enumerates running processes as part of anti-analysis and environment fingerprinting
Discovery T1082 System Information Discovery — system info gathered to detect VMs, sandboxes, and analysis environments
Discovery T1083 File and Directory Discovery — malware performs file system enumeration as part of post-exploitation reconnaissance
Exfiltration T1041 Exfiltration Over C2 Channel — data and anti-analysis findings exfiltrated via the existing encrypted C2 connection
Impact T1486 Data Encrypted for Impact — consistent with ransomware-linked operations; BOF loader enables in-memory ransomware module deployment
06 — Sources

References

Report Generated: June 11, 2026  ·  08:30 AM
TA Number: TA2026163  ·  Admiralty Code: A1  ·  Threat Level: Amber
© 2026 All Rights Reserved by Hive Pro  ·  www.hivepro.com
HiveForce Labs
Threat Advisory · Attack Report
MLTBackdoor: ClickFix to Ransomware Foothold
hive pro logo
Agentic AI for Exposure Management. Security operations that think, prioritize, and act autonomously.
twitterLinkdeinYoutubeEmail
© 2026
Hive Pro.
All rights reserved.
Privacy Policy