SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mltbackdoor (Back to overview)

MLTBackdoor


According to Zscaler, MLTBackdoor is a Windows post-exploitation backdoor likely written in C/C++ and compiled with an LLVM-based obfuscator that applies heavy mixed boolean-arithmetic and control-flow flattening, plus DJB2-based API hashing and indirect system calls to hinder analysis and evade hooks. It uses a custom binary protocol over TLS with elliptic-curve Diffie-Hellman key exchange and AES-GCM for encrypted C2 traffic, and includes a date-based domain generation algorithm (DGA) to maintain contact if primary C2 domains are unavailable. Natively, it provides a focused set of filesystem commands for uploading, downloading, listing, deleting, renaming, and creating files and folders. Its key feature is a built-in Beacon Object File loader compatible with a subset of Cobalt Strike-style BOF imports and its own syscall wrappers, allowing operators to dynamically extend capabilities for activities such as discovery, credential access, and lateral movement, which Zscaler links to ransomware-oriented operations.

References
2026-06-09ZscalerThreatLabZ research team
Technical Analysis of MLTBackdoor
MLTBackdoor

There is no Yara-Signature yet.