New research from Infoblox Threat Intel has revealed that an established, persistent group of cybercriminals, Detour Dog, has been silently infecting websites around the world since 2020.
The group, which first focused on simple scams routed through affiliate systems like Los Pollos, has now upgraded its attacks to deliver powerful information-stealing malware called Strela Stealer to home users and so far, has compromised over 30,000 websites.
The DNS Hijack: Hiding the Attack
Detour Dog’s operations have been tracked by Infoblox since August 2023. Researchers regard their new tactic as especially tricky because the malware is controlled from the server-side, and the malicious activity happens on the website’s host, completely invisible to the visitor. This is achieved through the Domain Name System (DNS), which is like the Internet’s phonebook.
The attack involves using an unusual part of DNS, called TXT records, to send secret commands to the infected sites to either redirect visitors to scams or fetch and run malicious code. The criminals are extremely cautious because their system is rarely active; while 90% of sites get a harmless response, only 9% cause redirects, and just 1% trigger the full malware attack.
This covert method makes a website appear normal to most people while secretly targeting others based on things like their location or device type. The research, shared with Hackread.com, indicates that this method allows compromised sites to stay infected for over a year because “most visits look normal and only certain visitors are targeted.”
The scale of the attack’s infrastructure is surprisingly high. When researchers tested a compromised server in August 2025, it received a peak of over 2 million of these secret DNS requests in a single hour.
From Scams to Stealers
The shift to delivering the Strela Stealer reportedly occurred in June and July 2025. However, this malware is operated by a different group, Hive0145, whereas Detour Dog acted as a service provider/partner to distribute it using a backdoor malware, StarFish, for installation.
While the campaigns were delivered via REM Proxy and Tofsee botnets, highlighting an affiliation between Detour Dog and these botnet providers, for the June-July campaigns, over 69% of the initial staging domains were controlled by Detour Dog.
Malicious traffic analysis showed that infected websites span across 89 countries, with the largest volume of visitor IP addresses coming from the US (37% of all unique IP addresses,) followed by Germany and Taiwan.
However, researchers suspect that this vast traffic is automated bot traffic. That’s because the queries included IP addresses not likely connected to human users, such as those belonging to the US Department of Defence.
Also, two specific GoDaddy IP addresses accounted for nearly 3 million queries alone, forcing researchers to question how this massive traffic volume is generated. They conclude that the full answer likely requires gaining direct access to the malware on the infected sites.
Infoblox researchers stress that because these attacks bypass traditional security tools, a strong defence at the DNS and network level is essential.
