The Covert Dual-Mode Backdoor Threat

Aug. 28, 2025, 1:45 p.m.

Description

MystRodX is a sophisticated backdoor discovered in June 2025, featuring stealth and flexibility. It uses multi-layer encryption for sensitive information and can operate in active or passive modes. The backdoor supports file management, port forwarding, reverse shell, and socket management. Its passive mode can be activated by specific DNS or ICMP packets. Analysis reveals a dual-process guardian mechanism and configurable communication protocols. Three active command and control servers were identified, indicating ongoing threat activity. The backdoor's low detection rate and long-term presence in networks since January 2024 highlight its effectiveness in evading security measures.

External References

https://blog.xlab.qianxin.com/mystrodx_covert_dual-mode_backdoor_en
https://otx.alienvault.com/pulse/68b02e9d16cefad9b2cd22a9
Tags
backdoor
encryption
stealth
c2 servers
2025-08-28
icmp trigger
mystrodx
dual-process guardian
dns trigger
passive mode

Date

  • Created: Aug. 28, 2025, 10:25 a.m.
  • Published: Aug. 28, 2025, 10:25 a.m.
  • Modified: Aug. 28, 2025, 1:45 p.m.

Indicators

  • fed7ae045bc499a40bab4fd7aef1fe8bf77ce867d143885210fe798ce428c1b2
  • f98e329ecf57747ea3a4ac32cf7331956528dac254bd81d64da645bf293b9466
  • c30fe320fc301a50b8834fb842d95db273944a6f57af55c864fb3f59640f4cc0
  • e053b559ebc2c132af42c6f16dde6afb7a411ac7f9f90b5c67bfbe015eca1e8f
  • 961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d
  • 723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200
  • 59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596
  • 587baefa189b1ea2cf0412e6f5a4bb7c103785ba838232b4905f52d77f41cda0
  • 432125ca41a2c5957013c8bff09c4037ad18addccab872d46230dd662a2b8123
  • 185.22.153.228
  • 156.244.6.68
  • http://139.84.156.79/dst-x86.bin
Download all indicators here!

Attack Patterns

  • MystRodX