Detour Dog, a stealthy website malware campaign tracked since August 2023, has evolved from redirecting victims to tech-support scams into a sophisticated DNS-based command-and-control (C2) distribution system that delivers the Strela Stealer information stealer via DNS TXT records.
Tens of thousands of compromised websites worldwide make server-side DNS requests that are invisible to visitors, enabling conditional redirections and remote code execution.
Originally, Detour Dog-controlled name servers directed infected sites to scam landing pages like Los Pollos and Help TDS.
In late November 2024, redirects shifted from Los Pollos to Help TDS and Monetizer TDS affiliate networks, but the outcome—fraudulent traffic monetization—remained the same.
Starting spring 2025, a new capability appeared: name servers began responding to specially formatted DNS TXT queries with Base64-encoded “down” commands, instructing the compromised sites to fetch and execute PHP scripts from remote C2 servers. This marks the first time Detour Dog has delivered malware directly to home users.
In June 2025, researchers observed Detour Dog infrastructure hosting the StarFish backdoor, which installs the Strela Stealer payload. Analysis revealed that 69% of confirmed StarFish staging hosts were under Detour Dog control.
Detour Dog handcrafts tracking identifiers that are carried across multiple traffic distribution systems (TDSs).
Externally, StarFish and Strela were spread via spam sent through the REM Proxy MikroTik botnet and the Tofsee botnet.
On June 8, DNS TXT responses began supplying C2 URLs for PHP endpoints—first script.php to deliver the StarFish downloader, then file.php to fetch the Strela Stealer ZIP archive—creating a multi-stage, DNS-orchestrated delivery chain.
DNS TXT as a Covert Channel
Compromised sites generate DNS TXT queries of the form:
text....c2_domain
When nwuuscript or nauufile, the authoritative name server returns a TXT record prefixed with “down” and a C2 URL.
The PHP script output is then relayed to the victim, all via server-side curl requests that evade client-side detection.
Passive DNS logs from August 6–8, 2025, show over 4 million queries, predominantly benign “do nothing” responses, but occasional remote execution commands reveal an innovative three-card monte-style distribution model.
Shadowserver Foundation sinkholed the primary C2 domain, webdmonitor[.]io, in August 2025, only for Detour Dog to spin up aeroarrows[.]io within hours. Sinkhole data captured over 39 million TXT queries in 48 hours from 30,000 infected hosts across 584 TLDs.
Although bot traffic dominated—peaking at 2 million hourly requests—unique IPs spanned 89 countries, with the United States accounting for 37% of distinct visitor IPs.
Intriguingly, some encoded IPs belonged to U.S. Department of Defense subnets, underscoring the mystery of who or what generates these queries.
Historic Evolution and Affiliate Network Ties
Detour Dog’s origins trace back to February 2020, initially forwarding traffic to Los Pollos affiliates identified by IDs like bt1k60t and later integrating Help TDS affiliate IDs.
The Los Pollos link also includes the affiliate id bt1k60t and the site is redirected to another domain, braraildye[.]live, hosted in Hetzner, which we believe is part of Taco Loco.
Detailed redirection chains documented in November 2024 and November 20, 2024 illustrate transitions from Help TDS to Monetizer TDS with consistent tracking parameters (cid:11005).
Composite timelines reveal continuous affiliate-driven flows spanning five and a half years.
This DNS TXT C2 model represents a novel, resilient malware distribution architecture that disguises true C2 infrastructure behind a global network of compromised websites.
By intertwining affiliate marketing traffic flows with DNS-based remote execution, Detour Dog obfuscates attack chains and misdirects defenders.
As Detour Dog continues refining its system—with passive DNS tests indicating ongoing feature expansion—organizations and threat hunters must incorporate DNS TXT monitoring and sinkholing strategies to detect and mitigate such covert threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
