Posted in

MLTBackdoor Malware Uses ClickFix Chain to Evade Detection

by Rakesh0

A newly uncovered MLTBackdoor malware campaign is raising alarms across the cybersecurity community, leveraging a sophisticated multi-stage ClickFix infection chain to infiltrate systems while remaining largely invisible.

First identified in May 2026 by Zscaler ThreatLabz, the malware is engineered for stealth and persistence. It begins with a deceptively simple user interaction—copying and executing a malicious prompt from an automotive-themed webpage—before deploying a deeply obfuscated backdoor designed to establish long-term access.

Researchers believe the campaign is linked to ransomware-related threat activity, with the backdoor serving as an initial foothold for later-stage attacks.

Key Details

The infection chain is notable for its precision and layered execution. Victims are lured into interacting with a fake ClickFix prompt, triggering a sequence of commands that unfold silently in the background.

Once executed, the attack performs the following steps:

  • Creates a hidden directory on the system
  • Downloads a compressed archive from a DGA-generated domain
  • Uses a legitimate Microsoft Defender binary (mpextms.exe) for DLL sideloading
  • Extracts and decrypts a secondary payload

The archive contains two critical components:

  • data.bin (RC4-encrypted payload)
  • endpointdlp.dll (decryption and loader mechanism)

This approach allows the malware to blend seamlessly with legitimate processes, making detection significantly harder.

Zscaler researchers noted that the attack chain is specifically designed to provide attackers with a strong initial foothold, often a precursor to lateral movement and ransomware deployment.

Technical Analysis

MLTBackdoor stands out due to its extreme level of obfuscation and evasion techniques, making reverse engineering highly challenging.

Advanced Obfuscation

  • Approximately 95% of the code consists of meaningless mathematical operations, designed to confuse analysts
  • Employs control flow flattening (CFF), turning logical execution paths into complex, unreadable structures

These techniques align with MITRE ATT&CK methods such as:

  • T1027 – Obfuscated Files or Information
  • T1140 – Deobfuscate/Decode Files or Information

Dynamic Command-and-Control (C2)

MLTBackdoor uses a Domain Generation Algorithm (DGA) to create new command-and-control domains daily. This ensures resilience against domain takedowns and increases operational longevity.

Network Evasion

  • Communicates over port 443, mimicking legitimate HTTPS traffic
  • Uses a custom encrypted binary protocol
  • Spoofs Microsoft-style user-agent strings

This behavior makes network-level detection extremely difficult.

Sandbox and Analysis Evasion

Before executing malicious actions, the malware performs 10 environment checks, including:

  • Detection of virtual machines and sandbox environments
  • Identification of debugging and analysis tools
  • System resource checks (RAM <2GB, single CPU core)

These checks are encoded into a bitmask and sent to the attacker during initial beaconing, providing detailed reconnaissance.

In-Memory Execution

A key feature is its Beacon Object File (BOF) loader, allowing attackers to:

  • Inject custom modules directly into memory
  • Avoid writing malicious files to disk

This fileless capability significantly reduces the attack’s forensic footprint.

Impact and Risks

The implications of MLTBackdoor are substantial for enterprises and security teams.

Who is at Risk

  • Organizations with weak endpoint detection
  • Users vulnerable to social engineering tactics like ClickFix prompts
  • Enterprises relying heavily on traditional signature-based defenses

Potential Consequences

  • Establishment of persistent backdoor access
  • Lateral movement across enterprise networks
  • Data exfiltration and espionage
  • Deployment of ransomware payloads

The malware’s stealth capabilities mean organizations may remain unaware of infections for extended periods, increasing the potential damage.

Expert Recommendations

Security teams should take immediate steps to mitigate the risks associated with MLTBackdoor infections.

Detection and Prevention

  • Block known Indicators of Compromise (IoCs), including malicious domains and hashes
  • Monitor unusual execution of mpextms.exe and other legitimate binaries
  • Deploy advanced Endpoint Detection and Response (EDR) solutions

Network Monitoring

  • Inspect outbound traffic over port 443 for anomalous patterns
  • Analyze user-agent strings that mimic legitimate Microsoft services

User Awareness

  • Train employees to avoid ClickFix-style social engineering prompts
  • Enforce strict controls on script execution and command-line activity

Hardening Measures

  • Implement application whitelisting
  • Use multi-factor authentication (MFA)
  • Segment networks to limit lateral movement

Industry Context

MLTBackdoor reflects a growing trend in modern cyberattacks—stealth-first intrusion techniques designed to evade detection rather than exploit vulnerabilities outright.

The use of:

  • DLL sideloading
  • DGA-based infrastructure
  • Fileless malware execution

…is increasingly common among ransomware operators and advanced persistent threat (APT) groups.

Similar tactics have been observed in campaigns involving Cobalt Strike loaders, Emotet variants, and BazarLoader, where initial access is carefully disguised before escalating to full-scale attacks.

This evolution signals a shift toward defense evasion and persistence, forcing organizations to rethink traditional detection strategies.

Conclusion

MLTBackdoor is a clear example of how modern malware is evolving—prioritizing stealth, adaptability, and persistence over brute-force exploitation.

Its use of a multi-stage ClickFix infection chain, combined with advanced obfuscation and fileless execution, makes it a formidable threat in today’s enterprise environments.

Organizations must adopt proactive threat detection, behavioral analysis, and user awareness strategies to stay ahead of such increasingly sophisticated attacks.

FAQ SECTION

What is MLTBackdoor malware?

MLTBackdoor is a stealthy backdoor malware designed to establish persistent access on infected systems and enable further attacks, including ransomware deployment.

How does the ClickFix attack chain work?

The ClickFix chain tricks users into executing a malicious command, which triggers a multi-stage process that downloads, decrypts, and installs the backdoor.

Why is MLTBackdoor hard to detect?

It uses heavy code obfuscation, legitimate system binaries, encrypted communication, and fileless execution techniques to evade traditional security tools.

What is DLL sideloading in this attack?

DLL sideloading involves abusing a legitimate executable, like mpextms.exe, to load a malicious DLL (endpointdlp.dll) without raising suspicion.

How can organizations defend against this threat?

By using EDR tools, monitoring network traffic, blocking IoCs, educating users, and implementing strong endpoint and network security controls.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *