Do Son 
The Infoblox Threat Intelligence team has released an in-depth report on a global malware campaign leveraging the Domain Name System (DNS) to distribute malicious payloads and evade detection. The threat actor behind the operation, tracked as Detour Dog, has infected tens of thousands of websites worldwide, using DNS TXT records as a novel command-and-control (C2) mechanism.
Unlike traditional web-based malware, Detour Dog’s infrastructure hides its activity by shifting malicious commands into DNS traffic. Infoblox explains: “These DNS requests are made server-side, meaning from the website itself, and are not visible to the visitor. The malicious name server conditionally instructs the website to redirect the visitor based on their location and device type.”
Historically, the redirects led users to tech support scams or malicious ads, but in mid-2025, the malware evolved into a more dangerous form: “The website malware fundamentally advanced in spring 2025. The actor added a new capability to command infected websites to execute code from remote servers.”
Detour Dog was a major player in the Strela Stealer campaigns that swept across Europe in summer 2025. Infoblox found that “Detour Dog-owned infrastructure was hosting a backdoor malware, StarFish, used to install the information stealer … Of the confirmed StarFish staging hosts, at least 69 percent were under Detour Dog control; the true percentage is likely much higher.”
The actor also weaponized DNS TXT records to distribute malware directly. “The actor-controlled name servers were modified to interpret specially formatted DNS queries … and to respond with remote code execution commands.”
In August 2025, the Shadowserver Foundation sinkholed Detour Dog’s C2 infrastructure, providing unprecedented insight into the scale of the campaign. Infoblox reports: “Approximately 30,000 infected hosts, within 584 top-level domains (TLDs), were seen in a 48-hour window. The queries show a significant amount of bot traffic; at its peak, the sinkhole received 2 million TXT requests in an hour.”
The data also revealed anomalies: IPs belonging to organizations such as the U.S. Department of Defense appeared in the queries, raising questions about how the bot traffic is generated and whether attackers are spoofing or abusing non-human IP ranges.
Detour Dog has demonstrated agility in resisting takedowns. After Shadowserver sinkholed its domain webdmonitor[.]io, the group switched to aeroarrows[.]io within hours. When that domain was also neutralized, they quickly stood up new infrastructure. As Infoblox notes, “It took Detour Dog only a few hours to establish a new C2 and regain control of the infected sites.”
The Detour Dog campaign showcases how DNS, often overlooked as a security vector, can be weaponized into a malware distribution and C2 channel. By blending in with normal DNS activity and leveraging compromised websites, the actor has created a resilient, stealthy, and globally distributed infrastructure.
Infoblox concludes with a warning: “We believe this has created a novel networked malware distribution model using DNS … With a large network of infected hosts, this might be considered a three card monte version of malware distribution.”
Organizations should strengthen DNS monitoring, analyze TXT record anomalies, and track suspicious redirection domains to detect and disrupt campaigns like Detour Dog before they deliver their payloads.
Related Posts:
- Warning: Windows Update Triggering BitLocker Recovery
- Emergency Fix: Microsoft Releases Update for BitLocker Recovery Issue
- Infoblox Uncovers Malicious Wave in .US Domain Registrations
- SSL.com Discloses Mis-issuance of Digital Certificates Due to DCV Flaw
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
