Security researchers at XLab have exposed MystRodX, a sophisticated backdoor masquerading as Mirai but delivering far more insidious capabilities.

First spotted in early June 2025, distributing an ELF dropper named dst86.bin from IP 139.84.156.79, MystRodX has lurked undetected for over 20 months by employing multi-layer encryption and a passive activation mechanism that requires no open ports.

Two-Stage Dropper and Guardian Mechanism

MystRodX’s architecture centers on a two-stage dropper that first decrypts and deploys a launcher component before activating the core backdoor binary, chargen. The dropper uses a 32-byte XOR key table and simple checksum verification to ensure payload integrity.

Once deployed, the launcher and backdoor run in a dual-process guardian mechanism, each monitoring and respawning the other to guarantee persistent operation.

The configuration is encrypted via AES-CBC, with the AES key itself protected by XLab’s reverse-engineered “Transform Algorithm.” This transform uses a two-byte magic header, a 32-byte XOR key, and a final payload byte as a decryption key.

Researchers detailed Python implementations that decrypt AES keys, trigger packets, and backdoor payloads seamlessly.

Flexible Communication and Command Set

MystRodX supports two communication modes—TCP and HTTP—selectable at runtime, and can optionally encrypt traffic payloads with AES. Network messages follow a fixed header, which includes packet length, main code, subcode, direction, and data.

Principal codes 2, 5, 7, and 8 map to reverse shell, file management, port forwarding, and SOCKS proxy, respectively. Command 7 dynamically enables traffic encryption by delivering a 256-byte RSA-encrypted magic string, verifying it against a hardcoded “0x68abut.”

MystRodX’s standout capability is its passive backdoor mode, activated when the configuration’s Backdoor Type field is set to 1. In this mode, the backdoor monitors all incoming traffic via a RAW socket and awaits specially crafted DNS or ICMP packets.

Once received, the packet payload is decrypted with the Transform Algorithm to reveal a 16-byte activation message: a magic header, protocol, port, and C2 IP address.

MystRodX – Exploiting DNS and ICMP to Exfiltrate Sensitive Data

DNS Trigger Analysis

For DNS triggers, the malware expects queries in the format www.{mask}UBw98KzOQyRpoSgk5+ViISKmpC6ubi7vao=.DomainName.com.

The 9-byte mask, combined with the Base64 string, decrypts to a ciphertext that, when run through the Transform Algorithm with magic 0x0d and magic2 0xaa, yields the activation payload pointing to the C2 server at 149.28.137.254:8010.

ICMP Trigger Analysis

ICMP-based activation is equally stealthy. Researchers crafted an ICMP ping request header and appended the encrypted payload that specified C2 192.168.96.1:443 over HTTP.

Upon receipt, MystRodX decrypted, parsed, and initiated an HTTP check-in, confirming the sample’s passive-mode operation.

Despite widespread scanning, MystRodX has evaded most antivirus engines. Initial detection rates were only 4/65, misclassified as Mirai; recent updates have nudged this to just 6/65.

XLab’s C2 hunting platform identified three active C2 servers, two linked to unknown campaigns, underscoring the backdoor’s persistence and evolving stealth.

With no clear infiltration vectors or targeted industries yet identified, MystRodX represents a new class of highly adaptable and covert threats.

Network defenders are urged to audit for unusual DNS query patterns and abnormal ICMP payloads, and to deploy deep-packet-inspection tools capable of decrypting Transform-algorithm payloads. XLab invites further collaboration to track emerging MystRodX variants and develop robust detection strategies.

IOC

Downloader

http://139.84.156[.]79/dst-x86.bin

C2 & Campaign

airtel.vpndns.net:443   neybquno
149.28.130.195:443    zoufkcfr

149.28.137.254:8010   neybquno
149.28.137.254:8443   zoufkcfr


156.244.6.68:443    unknown
185.22.153.228:443  unknown

Sample MD5

Dropper
5e3a2a0461c7888d0361dd75617051c6 *dst
72d377fa8ccf23998dd7c22c9647fc2a *chargen

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates