MystRodX Leveraging DNS and ICMP to Steal Sensitive Data From Hacked Systems

Cybersecurity

A new sophisticated backdoor malware, MystRodX, has been operating undetected for over 20 months, infiltrating networks through a dual-mode activation system. Initially identified as a variant of Mirai, MystRodX employs DNS queries and ICMP packets as covert communication channels to evade traditional security measures.

The malware was first detected on June 6, 2025, originating from IP address 139.84.156.79, which was distributing an ELF file named dst86.bin. Despite initial classifications as a Mirai variant, further analysis revealed MystRodX as a distinct threat with a 4/65 detection rate on VirusTotal.

Advanced analysis by XLab’s Cyber Threat Insight and Analysis System identified MystRodX as a complex C++ backdoor with advanced stealth capabilities. The malware can remain dormant without binding to network ports, making it difficult to detect with standard network monitoring tools.

MystRodX utilizes a triple-layer encryption strategy: single-byte XOR for virtual machine detection strings, custom transform algorithms for AES keys and trigger packets, and AES CBC mode for configuration data. This ensures sensitive components remain secure even if parts of the malware are discovered.

Activation timestamps in the malware’s configuration date back to January 7, 2024, indicating extensive deployment across compromised systems. Three active command-and-control servers have been identified, with evidence of additional undiscovered campaigns using distinct RSA key pairs.

DNS-Based Activation Mechanism

MystRodX features a DNS-triggered activation system that transforms DNS queries into command vectors. It monitors incoming network traffic using raw sockets and analyzes DNS requests formatted as www.DomainName.com, with encoded activation instructions.

The activation process is triggered by DNS queries containing specially crafted domains, such as “www.UBw98KzOQyRpoSgk5+ViISKmpC6ubi7vao=.com.” The encoded portion is Base64-decoded into a 32-byte ciphertext containing the activation payload.

The malware uses a proprietary transform algorithm with predefined magic values to decrypt the payload, revealing operational parameters like the magic identifier “CAT,” protocol specification, target port number, and command-and-control server IP address.

# Transform algorithm implementation
def transform(magic, magic2, buf, key):
    buf_len = len(buf) - 1
    key_len = len(key)
    key1 = magic ^ calc_sum(key)
    key2 = (key[(key1^buf_len)%key_len]) ^ magic2 ^ buf_len

    out = bytearray()
    for i, value in enumerate(buf):
        out.append((key[(i^key1)%key_len] ^ key2 ^ value ^ i) & 0xff)
    return out

Upon activation, MystRodX communicates with its command-and-control infrastructure, transitioning from passive surveillance to an active backdoor with capabilities like file management, reverse shell operations, SOCKS proxy functionality, and port forwarding.