A complicated DNS-based malware marketing campaign has emerged, using 1000’s of compromised web sites worldwide to ship the Strela Stealer information-stealing malware by means of an unprecedented approach involving DNS TXT data.
The risk, tracked as Detour Canine by safety researchers, represents a major evolution in malware distribution strategies that leverages the Area Identify System as each a command-and-control mechanism and supply channel.
The malware marketing campaign impacts tens of 1000’s of internet sites globally, creating an unlimited community of contaminated hosts that talk with actor-controlled title servers by means of specifically crafted DNS queries.
These server-side DNS requests stay invisible to web site guests, permitting the malicious infrastructure to function covertly whereas sustaining the looks of legit internet visitors.
The contaminated websites conditionally redirect guests to malicious content material primarily based on their geographic location and system kind, creating a classy filtering mechanism that helps evade detection.
Detour Canine has advanced considerably from its origins as a redirect-to-scam operation.
The risk actor behind this marketing campaign has been lively since not less than August 2023, initially specializing in redirecting customers to fraudulent web sites and tech assist scams.
Nevertheless, current developments present a marked shift towards direct malware distribution, significantly in campaigns focusing on European customers with the Strela Stealer payload.
Infoblox analysts recognized the connection between Detour Canine infrastructure and Strela Stealer operations throughout summer time 2025, once they found that not less than 69 p.c of confirmed StarFish staging hosts have been beneath Detour Canine management.
A number of assault vectors make the most of Detour Canine-controlled belongings (Supply – Infoblox)
This discovering revealed that the risk actor was not merely redirecting visitors however actively collaborating in multi-stage malware supply chains that culminated in data theft operations.
Superior DNS TXT Command and Management Infrastructure
The technical sophistication of Detour Canine’s DNS-based command and management system represents a novel method to malware communication that exploits the usually missed DNS TXT file performance.
The contaminated web sites generate DNS queries following a structured format that embeds sufferer data instantly into the subdomain construction:-
….c2_domain
The system underwent a major improve in spring 2025 when operators added distant code execution capabilities triggered by Base64-encoded responses containing the key phrase “down.”
When an contaminated website receives such a response, it strips the prefix and makes use of curl to fetch content material from specified URLs, successfully turning compromised web sites into proxy servers for malware distribution.
The DNS TXT responses observe a selected format that allows complicated multi-stage payload supply.
For instance, a decoded response would possibly seem as:-
down
This command instructs the contaminated website to retrieve content material from a StarFish C2 server and relay it again to the sufferer, making a distributed supply community that obscures the true supply of malicious content material.
The system helps each script.php and file.php endpoints, equivalent to completely different phases of the Strela Stealer supply course of.
The risk actor has demonstrated exceptional resilience in sustaining their infrastructure. When the Shadowserver Basis sinkholed the webdmonitor.io area in August 2025, Detour Canine operators established a alternative C2 server inside hours, seamlessly transferring management of their contaminated web site community to the brand new aeroarrows.io area.
Evaluation of sinkhole information revealed roughly 30,000 distinctive domains spanning 584 distinct top-level domains, all producing correctly formatted DNS TXT queries to the actor-controlled infrastructure.
The size and persistence of this operation spotlight the effectiveness of DNS as a covert communication channel for malware operations.
The distributed nature of the contaminated web site community, mixed with the legit look of DNS visitors, creates vital challenges for conventional safety monitoring methods that will not scrutinize TXT file communications with the identical depth utilized to different community protocols.
This represents a major development in malware distribution methods, the place DNS infrastructure serves twin functions as each a command channel and a content material supply mechanism, making a resilient and difficult-to-detect risk ecosystem.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
