MLTBackdoor
Intelligence Profile
According to Zscaler, MLTBackdoor is a Windows post-exploitation backdoor likely written in C/C++ and compiled with an LLVM-based obfuscator that applies heavy mixed boolean-arithmetic and control-flow flattening, plus DJB2-based API hashing and indirect system calls to hinder analysis and evade hooks. It uses a custom binary protocol over TLS with elliptic-curve Diffie-Hellman key exchange and AES-GCM for encrypted C2 traffic, and includes a date-based domain generation algorithm (DGA) to maintain contact if primary C2 domains are unavailable. Natively, it provides a focused set of filesystem commands for uploading, downloading, listing, deleting, renaming, and creating files and folders. Its key feature is a built-in Beacon Object File loader compatible with a subset of Cobalt Strike-style BOF imports and its own syscall wrappers, allowing operators to dynamically extend capabilities for activities such as discovery, credential access, and lateral movement, which Zscaler links to ransomware-oriented operations.
Threat Analysis
MLTBackdoor is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like MLTBackdoor prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, MLTBackdoor is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.