Technical Analysis of MLTBackdoor

June 10, 2026, 11 a.m.

Description

In May 2026, a new malware family named MLTBackdoor was identified, likely leveraged by ransomware-related threat actors to establish footholds for lateral movement. Delivered through multi-stage ClickFix infection chains targeting automotive-related web pages, this backdoor employs sophisticated obfuscation techniques including Mixed Boolean-Arithmetic and Control Flow Flattening. MLTBackdoor features indirect system calls, API hashing, and extensive anti-analysis checks that detect debuggers and sandboxed environments. Its capabilities include filesystem operations and a powerful Beacon Object File loader that dynamically expands functionality. The malware uses custom encrypted binary protocols over TLS with Elliptic-Curve Diffie-Hellman key exchange for command-and-control communications. Additionally, it implements a deterministic date-based Domain Generation Algorithm to maintain persistence when hardcoded C2 domains become unreachable, demonstrating advanced resilience against takedown attempts.

External References

https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor
https://otx.alienvault.com/pulse/6a28738628b044b8202032a9
Tags
obfuscation
ransomware
clickfix
2026-06-09
bof loader
mltbackdoor

Date

  • Created: June 9, 2026, 8:11 p.m.
  • Published: June 9, 2026, 8:11 p.m.
  • Modified: June 10, 2026, 11 a.m.

Indicators

  • 9e8777661a1ad9c983f03060f0a04a3244daac8c3639b3eb1bbce29355bc6c10
  • ac66c2d47cdefb221822b9074c9810434e8da702a0694139aa9177557e6b292b
  • 2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494
  • 46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93
  • ed80408eb9092301e628791e7a9a2e86c6f496a9afd7b56d7c1a1684b1b87251
  • d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b
  • a5a5b6257304eefe5212edfd8c0ad27f77357c5046a7acb8eb7ba72ed4bad9e0
  • fc8649547ad0ece93ad82de75cb6b875be0873774de89b78546c9a66d2043087
  • 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984
  • b2e1f5aedb049092135e90c153f5bd386aa81cd2df355d90912dcba33c3176e5
  • 0ca2edf9982f58e63cc49ba69fb9a88762d1f220ed9482810b512d4add0f8f0b
  • 6870e3bbf2447c96d21682caf943cf31c2e8c21c8cfb91a5092eab1c9e5f19ae
  • ab0541672b57cd3b7e8c973fb9fcbecd18b7fe14c1c2f571e7a2f2921919b500
  • 687968b820fd7a6bedb03d644410c663b1720ad76519e2dcf98d61df498470df
  • fe8557d454adc7a91162495628d269738b92b4b5d7e5d620fc3f38c27a9a41a7
  • d51ce268a585657226510586e47c58a47cee2f2bf2049008760c58dc4e6ba650
  • 9c8384f93b9d347a716ea3e55b9a01250473f667b95d467126c048256b0049e9
  • 1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf
  • 0f7463aecc3920f9e2b32ab9d77861a9e69a3e8aa28d06b4602195623312331d
  • 75635009a00cb26d2f532ad974ede59785a18e4b30132a1f585108589394ba5a
  • 4c357a29b202b77e7db190d359ead2dfd3f8869c6808b96bfa8bee82525bb2a2
  • b32461077b2e04145b87e9b5177a331dfd2248b81570aa96b9a302dffe643f70
  • 57cfa4cbf3d6cbd13973bbf0625bfa6d20677abb0a6e6bec9a6bf587799b56fa
  • e063358d88290c5d05d58594da341690024cf7fa57408a3874899f10e56d8bc8
  • 9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66
  • d8f291a459c1acc53f9c8dccb1049bfe2d3b00c7a86d50542dc7fd7b0628ea6a
  • ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec
  • http://powwowski.com/payloads/update.zip
  • https://hrs2y15sungu.com/d&pushd
Download all indicators here!

Attack Patterns

  • MLTBackdoor

Additional Informations

  • carrolc.com
  • hrs2y15sungu.com
  • thomphon.com
  • cwrtwright.com
  • powwowski.com