Hackers Deploy MLTBackdoor Malware via ClickFix Multi-Stage Infection

A recently uncovered backdoor, dubbed MLTBackdoor, has drawn significant attention within the cybersecurity community after emerging as part of a sophisticated, multi-stage infection chain.

Identified in May 2026, this threat stands out for its advanced ability to hide from security tools while quietly establishing a deep foothold on infected machines.

The infection begins with something deceptively simple: a ClickFix lure hosted on an automotive-related web page. The moment a visitor copies, pastes, and runs the fake prompt, the full attack chain kicks into motion.

The victim unknowingly triggers a series of commands that downloads a compressed archive, decrypts a hidden payload, and ultimately installs the backdoor deep within their system.

Researchers at Zscaler ThreatLabz, who identified and analyzed the malware, noted that the threat is likely being used by a ransomware-related threat actor.

According Zscaler to a report shared with Cyber Security News (CSN), Zscaler said the malware is specifically designed to help attackers gain a strong foothold before moving further across a victim’s network.

What makes MLTBackdoor especially dangerous is the sheer depth of effort put into hiding it. Around 95% of its code consists of unnecessary math operations designed purely to confuse analysts.

On top of that, the malware uses a technique called control flow flattening, which turns simple functions into a jumbled maze that is extremely hard to follow or reverse-engineer.

The malware also comes equipped with a domain generation algorithm, or DGA, that creates a fresh command-and-control domain every single day.

This means even if security teams manage to shut down one domain, the malware can silently switch to a new one and carry on without any interruption.

MLTBackdoor’s Multi-Stage ClickFix Infection Chain

The infection chain is a well-choreographed sequence that starts the moment a user interacts with the ClickFix prompt.

The command that runs in the background silently creates a folder, downloads a disguised archive from a DGA-generated domain, and then uses a legitimate Microsoft Defender file called mpextms.exe to sideload the actual backdoor.

This trick of hiding behind a trusted system file helps the malware slip past basic security tools.

Inside the downloaded archive are two files: data.bin and endpointdlp.dll. The DLL decrypts the RC4-encrypted data.bin file and unveils the second-stage payload, which is MLTBackdoor itself.

After installation, the malware performs a self-update and reuses the endpointdlp.dll filename, adding another layer of disguise on the infected machine.

Once active, MLTBackdoor communicates over port 443 using a custom encrypted binary protocol, disguising its traffic to look like routine system activity.

It uses a Microsoft-style user-agent string and a fixed API path to blend in, making it far harder for network monitoring tools to flag any connection as suspicious.

Evasion Techniques and Expanding Capabilities

MLTBackdoor runs a total of ten separate environment checks before it does anything meaningful. It scans for virtual machines, debuggers, specific analysis tools, and sandbox drivers.

It even checks whether the system RAM is below two gigabytes or the number of processors is just one. All these checks feed into a bitmask that gets quietly sent to the attacker’s server during the first check-in, giving the operator a full picture of the target environment.

Beyond hiding, the malware also comes with a functional set of built-in commands. It can download and upload files, list directories, and delete, rename, or create folders.

But its most powerful feature is a Beacon Object File loader that lets attackers push custom code modules directly into the malware’s memory. This means its capabilities can be expanded at any time without ever writing files to disk, making detection even harder.

Security teams are strongly advised to block all known indicators of compromise and monitor for unusual use of legitimate Microsoft binaries.

Organizations should keep threat detection rules updated for ClickFix-style social engineering attacks and watch for suspicious outbound connections on port 443 that carry uncommon user-agent strings, as these can be early signs of an active MLTBackdoor infection.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.