CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

MystRodX Backdoor with DNS and ICMP Triggers Used in Cyber Espionage

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A stealthy backdoor named MystRodX, also known as ChronosRAT, has been identified in cyber espionage activities. This backdoor, written in C++, supports various features like file management, port forwarding, and reverse shell. It uses DNS and ICMP triggers for command-and-control (C2) communication, making it difficult to detect. MystRodX has been linked to a China-nexus cyber espionage group called Liminal Panda. The malware has been active since at least January 2024 and is delivered through a dropper with anti-debugging and anti-virtualization checks. It can operate in both passive and active modes, depending on its configuration.

Timeline

  1. 02.09.2025 17:56 1 articles · 27d ago

    MystRodX Backdoor Linked to Liminal Panda Cyber Espionage Group

    MystRodX, a stealthy backdoor, has been identified in cyber espionage activities. It uses DNS and ICMP triggers for command-and-control communication and is linked to the China-nexus group Liminal Panda. The malware has been active since at least January 2024 and supports various features like file management, port forwarding, and reverse shell. It is delivered through a dropper with anti-debugging and anti-virtualization checks and can operate in both passive and active modes.

    Show sources

Information Snippets

Similar Happenings

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been identified deploying a new backdoor malware named NotDoor through Microsoft Outlook. This malware exploits Outlook to facilitate covert communication, data exfiltration, and malware delivery. The backdoor is triggered by specific words in incoming emails, allowing attackers to execute commands on the victim's computer. NotDoor is distributed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The malware uses PowerShell commands encoded in Base64 to perform various functions, including disabling macro security defenses and enabling macro execution. The backdoor maintains persistent access to the targeted system and can initiate data exfiltration through email attachments or upload malicious files. The malware has been used to target multiple companies from different sectors in NATO member countries. It creates a staging folder at %TEMP%\Temp to store and exfiltrate files, and supports commands for executing commands, exfiltrating files, and uploading files to the victim's computer.

Scarcruft (APT37) Ransomware Campaign Targets South Korea

The North Korean threat group Scarcruft (APT37) has launched a campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, began in July 2025 and includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation. Additionally, a modular backdoor malware for the macOS platform, ChillyHell, has resurfaced with a new version. This malware gives attackers remote access and allows them to drop payloads or brute-force passwords. The new ChillyHell sample was uploaded to VirusTotal on May 2, 2025, and was notarized by Apple in 2021. The malware has multiple persistence mechanisms and can exfiltrate data, drop additional payloads, enumerate user accounts, and perform local password cracking. Apple revoked notarization of the developer certificates associated with the malware once notified by Jamf. A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration, system enumeration, and arbitrary command execution. The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor. The campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. The campaign involves impersonated recruiters offering lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. The attacks deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. WeaselStore's functionality is similar to BeaverTail and InvisibleFerret, focusing on exfiltration of sensitive data from browsers and cryptocurrency wallets. TsunamiKit is a malware toolkit designed for information and cryptocurrency theft, first discovered in November 2024. TsunamiKit comprises several components, including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiHardener, and TsunamiClient. TsunamiClient incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner. Tropidoor is a sophisticated payload linked to the DeceptiveDevelopment group, sharing code with PostNapTea and LightlessCan. AkdoorTea is a remote access trojan delivered by a Windows batch script, sharing commonalities with Akdoor and NukeSped (Manuscrypt). The DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection. The campaign supplies stolen developer information to North Korea’s fraudulent IT workers, who use it to pose as job seekers and land remote work at unsuspecting companies. The campaign involves tight collaboration with North Korea’s network of fraudulent IT workers, tracked as WageMole. The North Korean IT workers operate in teams, focusing on obtaining work in Western countries, particularly the US, and in Europe, targeting France, Poland, Ukraine, and Albania. The North Korean IT workers impersonate real companies and engineers, producing engineering drawings with falsified approval stamps, and focus on self-education in web programming, blockchain, English, and AI integration.