HOMETHREATSMLTBackdoor
APT / THREAT GROUP💰 FINANCIALHIGH

MLTBackdoor

2
aliases
Last seen:Jun 27, 2026

Intelligence Profile

According to Zscaler, MLTBackdoor is a Windows post-exploitation backdoor likely written in C/C++ and compiled with an LLVM-based obfuscator that applies heavy mixed boolean-arithmetic and control-flow flattening, plus DJB2-based API hashing and indirect system calls to hinder analysis and evade hooks. It uses a custom binary protocol over TLS with elliptic-curve Diffie-Hellman key exchange and AES-GCM for encrypted C2 traffic, and includes a date-based domain generation algorithm (DGA) to maintain contact if primary C2 domains are unavailable. Natively, it provides a focused set of filesystem commands for uploading, downloading, listing, deleting, renaming, and creating files and folders. Its key feature is a built-in Beacon Object File loader compatible with a subset of Cobalt Strike-style BOF imports and its own syscall wrappers, allowing operators to dynamically extend capabilities for activities such as discovery, credential access, and lateral movement, which Zscaler links to ransomware-oriented operations.

Threat Analysis

MLTBackdoor is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like MLTBackdoor prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, MLTBackdoor is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Intelligence Reports Mentioning MLTBackdoor

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases2

Also Known As

win.mltbackdoorMLTBackdoor

External Intelligence

Malpedia: win.mltbackdoor

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.