NoDepDNS

NoDepDNS is a custom Golang backdoor used in 2024 intrusions against telecommunications providers in Southeast Asia/Southwest Asia that Palo Alto Networks Unit 42 tracks as CL-STA-0969, an activity cluster assessed to heavily overlap with CrowdStrike’s Liminal Panda and linked by Unit 42 to Beijing with high confidence. The malware was deployed after initial access that was likely obtained through SSH brute-force attacks using telecommunications-focused credential dictionaries. NoDepDNS is described as a stealthy DNS-tunneling backdoor that uses port 53 for malicious communications. It passively listens for UDP traffic on port 53, parses DNS messages, and decodes commands embedded in DNS response IP addresses using XOR encoding/encryption, then executes those commands locally. Available reporting states it does not return command output. The implant was internally named "MyDns" in debug symbols and was monitored and maintained by shell scripts. In the broader campaign, operators used NoDepDNS alongside other custom implants and tools such as AuthDoor, GTPDoor, ChronosRAT, EchoBackdoor, CordScan, FRP, Microsocks, FScan, and Responder to maintain persistent, stealthy access in mobile telecom environments. The threat actors used multiple defense-evasion measures in conjunction with this malware, including process-name masquerading, timestomping, weakening or disabling SELinux by setting permissive mode, and removing traces from authentication logs. The campaign targeted mobile telecom infrastructure and was assessed as likely intended to support location-tracking or other espionage objectives, although Unit 42 reported no clear evidence of data theft or direct communication with mobile devices in the investigated cases. High-confidence host/network characteristics directly mentioned for NoDepDNS include Golang implementation, passive listening on UDP/53, DNS-message parsing, command delivery via DNS/IP-address-based XOR decoding, and use of port 53 for covert command-and-control.