BTG A.I CyberSecurity Scoring
BTG
Company Information
Website:https://www.bstonetech.com
Employees number:135
Number of followers:12,087
NAICS:
Industry Type:Information Technology & Services
Homepage:bstonetech.com
BTG Risk Score (AI oriented)
Between 650 and 699
BTGInformation Technology & Services
Updated:
24/06/2026
24/06/2026
663/1000
Weak
B
BTG Global Score (TPRM)
xxxx
BTGInformation Technology & Services
Score locked

BTGWeak
Current Score
663B (WEAK)
01000
1 incidents
-97 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
664
JUNE 2026
663
MAY 2026
662
APRIL 2026
755
Ransomware
01 Apr 2026 • BTG
Qilin and Black Basta: ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
New Python-Based RAT and Stealth Backdoor Linked to Ransomware Access Broker Woodgnat
658
CRITICAL-97
QILBLA1782311333
New Python-Based RAT and Stealth Backdoor Linked to Ransomware Access Broker Woodgnat
A recent cybersecurity investigation has uncovered a sophisticated campaign involving ModeloRAT, a Python-based remote access trojan (RAT), and Backdoor.Mistic, a newly identified stealth backdoor. Both tools are tied to Woodgnat (also known as KongTuke), an initial access broker (IAB) that facilitates ransomware deployments for multiple threat groups, including Qilin, Rhysida, Akira, 8Base, and Black Basta.
### Backdoor.Mistic: Stealth and Persistence
First observed in April 2026 and documented by Zscaler, Backdoor.Mistic is designed for long-term, low-visibility access. It employs DLL sideloading via a legitimate executable (MpExtMs.exe), loading a malicious DLL (EndpointDlp.dll) that mimics Microsoft security components. The backdoor uses API hooking to evade detection, executing payloads in-memory without writing files to disk. Additional evasion tactics include a kill switch for self-deletion and adaptive command-and-control (C2) mechanisms, such as domain generation for non-domain hosts.
Functionally, Mistic supports file manipulation, scheduled command checks, and in-memory execution of C2-delivered code, making it a versatile tool for maintaining covert access. Targets have been opportunistic, spanning insurance, education, IT, and professional services, suggesting the operators prioritize saleable enterprise access over industry-specific attacks.
### ModeloRAT: A Hallmark of Woodgnat Activity
ModeloRAT, a long-standing tool in Woodgnat’s arsenal, is typically delivered via a portable WinPython package and executed through signed pythonw.exe. It employs RC4-encrypted C2 communications and multi-path resiliency to maintain persistence. Symantec’s Threat Hunter Team linked ModeloRAT to Qilin ransomware deployments, reinforcing its role in final-stage ransomware operations.
### Intrusion Chain and Tradecraft
The observed attack chain combines multiple stages and tools, including:
- A .NET credential stealer with a fake login prompt
- Living-off-the-land binaries (LOLBins) such as curl, reg.exe, net.exe, certutil, WMIC, and PowerShell for reconnaissance and lateral movement
- Loaders like WinPython and Node.exe to host ModeloRAT and other scripts
- Social engineering lures (e.g., ClickFix, FileFix, CrashFix) tricking victims into executing malicious PowerShell commands
- Microsoft Teams helpdesk pretexts coercing victims into running attacker-supplied commands for rapid persistence
Woodgnat’s tradecraft emphasizes evasion, leveraging signed carriers, in-memory execution, redundant persistence mechanisms, and credential theft to establish durable footholds for ransomware affiliates.
### Defensive Priorities
Key indicators of compromise (IOCs) include:
- Unexpected loading of EndpointDlp.dll by MpExtMs.exe
- Anomalous in-memory execution activities
- Run-key persistence entries mimicking remote-support tools
- Evidence of WinPython or signed pythonw.exe running unknown scripts
As Woodgnat continues to evolve, tracking its infrastructure and the development of ModeloRAT and Mistic remains critical for defenders combating ransomware-enabled access brokering.
INCIDENT DETAILS -
TYPE
MOTIVATION
DATA BREACH
REFERENCES
MARCH 2026
755
FEBRUARY 2026
755
JANUARY 2026
755
DECEMBER 2025
755
NOVEMBER 2025
755
OCTOBER 2025
755
SEPTEMBER 2025
755
AUGUST 2025
755
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for BTG ??
What was BTG's A.I Rankiteo Cyber Score in June 2026 ??
What was BTG's A.I Rankiteo Cyber Score in May 2026 ??
What was BTG's A.I Rankiteo Cyber Score in April 2026 ??
What was BTG's A.I Rankiteo Cyber Score in March 2026 ??
What was BTG's A.I Rankiteo Cyber Score in February 2026 ??
What was BTG's A.I Rankiteo Cyber Score in January 2026 ??
What was BTG's A.I Rankiteo Cyber Score in December 2025 ??
What was BTG's A.I Rankiteo Cyber Score in November 2025 ??
What was BTG's A.I Rankiteo Cyber Score in October 2025 ??
What was BTG's A.I Rankiteo Cyber Score in September 2025 ??
What was BTG's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on BTG's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with BTG ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view BTG's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?