KongTuke is an active initial access broker deploying the Mistic fileless backdoor via DLL side-loading against Microsoft’s MpExtMs.exe security binary, targeting insurance, education, IT, and professional services organizations since April 2026. The backdoor executes entirely in memory, uses DNS-based C2, and includes a self-delete kill switch. Confirmed access sales to Qilin ransomware affiliates create a direct pipeline from initial compromise to ransomware deployment, making this a pre-ransomware detection opportunity for organizations in the four named verticals.