BLACKBIRD.AI A.I CyberSecurity Scoring
BLACKBIRD.AI
Company Information
Website:http://www.blackbird.ai
Employees number:75
Number of followers:24,700
NAICS:5112
Industry Type:Software Development
Homepage:blackbird.ai
BLACKBIRD.AI Risk Score (AI oriented)
Between 600 and 649
BLACKBIRD.AISoftware Development
Updated:
24/06/2026
24/06/2026
642/1000
Poor
Caa
BLACKBIRD.AI Global Score (TPRM)
xxxx
BLACKBIRD.AISoftware Development
Score locked

BLACKBIRD.AIPoor
Current Score
642Caa (POOR)
01000
1 incidents
-113 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
643
JUNE 2026
643
MAY 2026
752
Ransomware
01 May 2026 • BLACKBIRD.AI
Interlock and Black Basta: Stealthy Mistic backdoor linked to ransomware access broker KongTuke
New Mistic Backdoor Linked to KongTuke Initial Access Broker in Targeted Attacks
639
CRITICAL-113
INTBLA1782304111
New Mistic Backdoor Linked to KongTuke Initial Access Broker in Targeted Attacks
A newly identified backdoor, dubbed Mistic, has been deployed in financially motivated cyberattacks targeting organizations in the insurance, education, IT, and professional services sectors. The malware is attributed to KongTuke (also known as Woodgnat), an initial access broker (IAB) active since at least 2024, which specializes in breaching corporate networks and selling access to ransomware groups, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Researchers at Symantec first observed Mistic in intrusions beginning in April 2024, with at least one attack involving its deployment shortly after ModeloRAT another backdoor linked to KongTuke was delivered via social engineering over Microsoft Teams. Designed for stealth and long-term persistence, Mistic enables attackers to maintain covert access to compromised networks.
### Attack Chain & Capabilities
The infection process begins with the execution of a legitimate MpExtMs.exe binary to side-load a malicious version.dll, which acts as a loader for Mistic (disguised as EndpointDlp.dll). The filename mimics Microsoft endpoint security tools, aiding evasion. A secondary .NET DLL is also deployed, displaying a fake login screen to harvest credentials.
Once active, Mistic establishes communication with its command-and-control (C2) server and supports multiple functions, including:
- File manipulation (upload/download, move, rename, delete, and folder creation)
- Adjustable C2 polling frequency
- In-memory code execution (avoiding disk writes)
- Self-termination and file deletion via a kill switch
Symantec highlights Mistic’s in-memory execution and self-destruct features as key to its low-visibility operations, aligning with KongTuke’s focus on prolonged network access.
### Delivery & Additional Tools
While Symantec did not detail the initial infection vector, KongTuke has previously used ClickFix (and variants FileFix and CrashFix) since early 2025 to deploy ModeloRAT. In a separate report, Zscaler which tracks Mistic as MTLBackdoor noted its delivery in a May 2024 multi-stage ClickFix attack chain. A notable feature of MTLBackdoor is its ability to load Beacon Object Files (BOFs), small C-based programs that execute in memory, leaving no disk footprint a technique common in red teaming tools like Cobalt Strike.
KongTuke’s arsenal extends beyond Mistic, incorporating legitimate tools (WinPython, Node.js) and malware loaders (MintsLoader, D3F@ck Loader) to deploy additional payloads, including the GateKeeper .NET payload and the NexShield browser extension.
### Broader Implications
The emergence of Mistic underscores a growing trend of custom backdoors in ransomware operations, developed by IABs with direct ties to cybercriminal ecosystems. Both Symantec and Zscaler have released indicators of compromise (IoCs) for detection, emphasizing the malware’s stealth and modular expansion capabilities.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
APRIL 2026
752
MARCH 2026
752
FEBRUARY 2026
752
JANUARY 2026
752
DECEMBER 2025
752
NOVEMBER 2025
752
OCTOBER 2025
752
SEPTEMBER 2025
752
AUGUST 2025
752
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for BLACKBIRD.AI ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in June 2026 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in May 2026 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in April 2026 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in March 2026 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in February 2026 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in January 2026 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in December 2025 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in November 2025 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in October 2025 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in September 2025 ??
What was BLACKBIRD.AI's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on BLACKBIRD.AI's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with BLACKBIRD.AI ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view BLACKBIRD.AI's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?