MystRodX / ChronosRAT backdoor activity with DNS and ICMP wake-up triggers
Malware Activity
Summary
Hide ▲
Show ▼
Researchers disclosed MystRodX/ChronosRAT, a stealthy backdoor that can capture data and execute remote commands on compromised systems. The malware uses DNS and ICMP-based wake-up triggers, layered encryption, and configurable TCP or HTTP communications to hide operator traffic. Its dropper uses anti-debugging and virtual machine checks before unpacking the next stage, and evidence suggests it may have been active since at least January 2024.
Related Happenings
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware Activity
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware ActivityAbout this happening: A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
Red Menshen telecom espionage campaign
Campaign
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Kimwolf DDoS botnet expansion across Android TVs, set-top boxes, and tablets
Malware Activity
First: 17.12.2025 20:09
Last: 17.12.2025 20:09
Sources 1
About this happening:
The **Kimwolf** botnet now spans **1.8 million infected devices**, giving it the scale to drive high-volume **DDoS** abuse and broaden downstream risk. It primarily targets **Andr...
Kimwolf DDoS botnet expansion across Android TVs, set-top boxes, and tablets
Malware ActivityAbout this happening: The **Kimwolf** botnet now spans **1.8 million infected devices**, giving it the scale to drive high-volume **DDoS** abuse and broaden downstream risk. It primarily targets **Andr...
DeskRAT Linux persistence and command-set analysis
Technical Analysis
First: 24.10.2025 17:00
Last: 24.10.2025 17:00
Sources 1
About this happening:
Researchers detailed **DeskRAT**'s Linux persistence methods and command set, giving defenders concrete indicators for spotting the malware on **BOSS Linux** hosts. The analysis m...
DeskRAT Linux persistence and command-set analysis
Technical AnalysisAbout this happening: Researchers detailed **DeskRAT**'s Linux persistence methods and command set, giving defenders concrete indicators for spotting the malware on **BOSS Linux** hosts. The analysis m...
Timeline
-
02.09.2025 17:56 2 articles · 8mo ago
QiAnXin XLab discloses MystRodX backdoor with DNS and ICMP wake-up triggers
Initial DisclosureQiAnXin XLab disclosed MystRodX, also called ChronosRAT, as a stealthy C++ backdoor linked to CL-STA-0969 and overlapping with Liminal Panda. The malware supports file management, port forwarding, reverse shell, and socket management, uses layered encryption and configurable TCP or HTTP communication, can operate in passive backdoor mode, and may be triggered by specially crafted DNS or ICMP packets; the dropper also uses anti-debugging and virtual machine checks before decrypting the next-stage payload containing daytime, chargen, and busybox.
Show sources
- Researchers Warn of MystRodX Backdoor Using DNS and ICMP Triggers for Stealthy Control — thehackernews.com — 02.09.2025 17:56
- Researchers Warn of MystRodX Backdoor Using DNS and ICMP Triggers for Stealthy Control — thehackernews.com — 02.09.2025 17:56