August 30, 2025
XLab has identified a previously unknown and stealthy backdoor dubbed MystRodX, capable of operating undetected in compromised environments for extended periods. Initially mistaken for the well-known Mirai malware, further analysis revealed it to be a brand-new backdoor family with unique encryption layers and activation mechanisms.
On June 6, 2025, XLab flagged suspicious activity from an IP address distributing a binary named dst86.bin. VirusTotal results showed a low detection rate of just 4/65, labeling it as Mirai. However, XLab’s AI module disagreed, prompting deeper investigation. “Turns out, it wasn’t Mirai. It was a dropper—and what it delivered was a brand-new backdoor, unrelated to known Mirai strains. We’ve named it MystRodX.”
MystRodX, written in C++, includes capabilities like file management, port forwarding, reverse shell, and SOCKS proxy. But its true power lies in its stealth and configurability.
According to XLab, “Stealth is achieved through a differentiated encryption strategy for various levels of sensitive information,” including XOR encryption for VM/debugger strings, custom “transform algorithm” encryption for payloads, and AES-CBC for configuration data.
MystRodX can also dynamically switch between TCP or HTTP communications and toggle between plaintext or AES-encrypted traffic, depending on configuration.
One of the most novel features of MystRodX is its passive wake-up mode. Unlike typical backdoors that rely on open ports, MystRodX can lie dormant until triggered by specific DNS or ICMP packets.
XLab explains: “MystRodX can be configured as a passive backdoor that is activated by specific DNS or ICMP network packets without the need for open ports.”
- DNS Trigger: Maliciously crafted DNS queries containing hidden Base64 payloads activate the backdoor, which then connects to a command-and-control (C2) server.
- ICMP Trigger: Specially crafted ping packets can embed encrypted instructions, directing MystRodX to connect to attacker infrastructure over TCP or HTTP.
This allows MystRodX to bypass firewall rules and intrusion detection systems, staying hidden until adversaries decide to activate it.
Analysis revealed that MystRodX samples carried activation timestamps as far back as January 7, 2024. This means the malware may have been lurking in networks for over 20 months undetected.
MystRodX also employs a dual-process guardian mechanism: if either its launcher or backdoor process is terminated, the other automatically restarts it, ensuring resilience against termination attempts.
Through its C2 hunting platform, XLab confirmed the existence of three live command-and-control servers tied to MystRodX campaigns. While some used known RSA keys linked to prior campaigns, others appear to be part of uncaptured, ongoing operations, proving the malware is still active in the wild.
XLab advises defenders to:
- Monitor for unusual DNS or ICMP payloads carrying hidden instructions.
- Hunt for unexplained connections to C2 IPs such as 149.28.137.254, 156.244.6.68, and 185.22.153.228.
- Deploy behavior-based detection capable of catching dual-process persistence mechanisms.
As XLab concludes: “It’s time to expose a long-lingering threat—and help defenders hunt it down.”
