Stealth Malware Campaign Infects Thousands via DNS TXT Abuse

A sophisticated malware campaign known as Detour Dog has compromised more than 30,000 websites, leveraging DNS TXT records to orchestrate server-side attacks that remain invisible to ordinary users. This technique allows infected sites to retrieve and execute malicious commands through the Domain Name System, functioning as a covert command-and-control channel. Because the malicious activity occurs on the server end, most visitors see a normal, harmless webpage, while a select few, based on criteria like geographic location or device type, are silently redirected to scams or made to download harmful software. The scale of this operation is staggering, with some periods recording over two million DNS TXT record requests in just sixty minutes.

The mechanics of the attack hinge on the infected web server, rather than the user’s device, sending DNS queries that include details such as the visitor’s IP address and device information. These queries are processed by name servers under the attackers’ control, which then decide whether to issue a “do nothing” reply or to trigger a malicious action like a redirect or a remote code execution. This server-side approach makes Detour Dog extremely difficult to detect and reproduce, since the majority of site visits appear legitimate and only specific targets encounter malicious behavior.

Key characteristics of the Detour Dog campaign include its widespread reach and advanced evasion methods. Security researchers highlight that the infrastructure has evolved from pushing scams through advertising affiliate networks to distributing a backdoor called StarFish, which in turn installs Strela Stealer malware. This malware is operated by the threat group Hive0145. By hiding staging hosts behind otherwise legitimate compromised websites and using DNS TXT records for clandestine communication, the attackers create a system full of misdirection, much like a shell game, where pinpointing the actual source of the malware becomes a major challenge.

Another troubling aspect is the campaign’s persistence. Compromised websites can remain infected for more than a year because the malicious logic is executed server-side and the vast majority of user visits are benign. Approximately 90% of DNS queries from these sites receive a harmless response, while only about 9% lead to redirections and a mere 1% initiate “fetch and execute” tasks. This selective targeting helps the operation fly under the radar of conventional security tools.

In June and July 2025, Strela Stealer campaigns were distributed using REM Proxy, a botnet based on MikroTik hardware, alongside the Tofsee botnet. This revealed a direct affiliation between Detour Dog and the operators of these botnets. Evidence suggests Detour Dog acted as the exclusive source for these campaigns during that period, effectively providing malware delivery as a service for Hive0145 and utilizing the botnets for spam distribution. More than two-thirds of the staging domains linked to these attacks were controlled by Detour Dog, though new analysis indicates these domains did not actually host malicious payloads, they served as DNS relays instead.

This campaign underscores how everyday web browsing can translate into serious business risk. Traditional endpoint security solutions often fail to catch server-side DNS exploitation, making network-level and DNS-layer defenses the most reliable points of intervention. These findings reinforce that DNS is not merely a tool for tracking adversaries, it has become a critical frontline for blocking attacks before they impact users or corporate systems. Still, the success of any DNS-focused security strategy depends entirely on the accuracy and timeliness of the threat intelligence it employs. As attackers continue to refine their methods, maintaining robust DNS-layer visibility and deploying intelligence specifically designed to counter these emerging threats is essential for staying protected.

(Source: ITWire Australia)