MystRodX Leveraging DNS and ICMP to Steal Sensitive Data From Hacked Systems

A sophisticated new backdoor malware has emerged from the shadows, operating undetected for over 20 months while infiltrating networks through an ingenious dual-mode activation system.

Initially discovered masquerading as a Mirai variant, MystRodX represents a significant evolution in stealth malware design, utilizing DNS queries and ICMP packets as covert communication channels to evade traditional security measures.

The malware first surfaced on June 6, 2025, when suspicious activity was detected from IP address 139.84.156.79 distributing an ELF file named dst86.bin.

Despite conventional scanners classifying it as Mirai with only a 4/65 detection rate on VirusTotal, the threat proved to be entirely different from known Mirai strains.

XLab’s Cyber Threat Insight and Analysis System analysts identified the true nature of this threat through advanced behavioral analysis, revealing a complex C++ backdoor with unprecedented stealth capabilities.

What sets MystRodX apart is its passive operational mode, where the malware can remain completely dormant without binding to network ports, making it virtually invisible to standard network monitoring tools.

The threat operates through a sophisticated triple-layer encryption strategy, employing single-byte XOR for VM detection strings, custom transform algorithms for AES keys and trigger packets, and AES CBC mode for configuration data.

This multi-tiered approach ensures that sensitive components remain protected even if portions of the malware are discovered.

The malware’s configuration reveals activation timestamps dating back to January 7, 2024, indicating extensive deployment across compromised systems.

Three active command-and-control servers have been identified in the wild, with evidence suggesting additional undiscovered campaigns utilizing distinct RSA key pairs for different attack operations.

DNS-Based Activation Mechanism

MystRodX’s most innovative feature lies in its DNS-triggered activation system, which transforms seemingly benign DNS queries into sophisticated command vectors.

The malware monitors incoming network traffic using raw sockets, analyzing DNS requests that follow the specific format: www.DomainName.com, where the domain name contains encoded activation instructions.

The activation process begins when the malware encounters a DNS query containing a specially crafted domain.

For example, a domain like “www.UBw98KzOQyRpoSgk5+ViISKmpC6ubi7vao=.com” serves as the trigger mechanism.

The encoded portion undergoes Base64 decoding, producing a 32-byte ciphertext that contains the activation payload.

Using a proprietary transform algorithm with predefined magic values (0x0d and 0xaa), the malware decrypts this payload to reveal critical operational parameters including the magic identifier “CAT”, protocol specification (TCP/HTTP), target port number, and command-and-control server IP address.

# Transform algorithm implementation
def transform(magic, magic2, buf, key):
    buf_len = len(buf) - 1
    key_len = len(key)
    key1 = magic ^ calc_sum(key)
    key2 = (key[(key1^buf_len)%key_len]) ^ magic2 ^ buf_len

    out = bytearray()
    for i, value in enumerate(buf):
        out.append((key[(i^key1)%key_len] ^ key2 ^ value ^ i) & 0xff)
    return out

Once successfully activated, MystRodX establishes communication with the specified command-and-control infrastructure, transitioning from its passive surveillance state to an active backdoor capable of file management, reverse shell operations, SOCKS proxy functionality, and port forwarding capabilities.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.