New research from the Infoblox threat intelligence team has identified widespread abuse of domain name system (DNS) TXT records in a malware campaign known as Detour Dog, which has compromised more than 30,000 websites worldwide.
Low profile activity
The actor referred to as Detour Dog has reportedly evolved its approach. According to Infoblox, it has moved from conducting scam redirects to distributing information stealing malware, allowing compromised websites to fetch and relay malicious code execution output silently and without alerting users. This approach enables attackers to operate largely undetected from the perspective of website visitors and administrators.
According to the research, the malware campaigns leverage DNS queries to selectively target website visitors based on their location and device, all while the server makes covert DNS TXT requests encoding visitor data. The attacker’s remotely controlled name servers determine which users are redirected to scams or receive remote download and execution instructions, often without leaving visible traces.
Attack characteristics
The research found peaks of over two million DNS TXT requests in a single hour, underlining the scale and frequency of the campaign’s activities. Infoblox’s threat intelligence has described the challenge of detecting and reproducing malicious redirections associated with Detour Dog due to its stealthy, server-side operations.
Researchers further noted that about 90 per cent of DNS queries generated by infected sites return benign responses, with only approximately 9 per cent resulting in redirections and just 1 per cent being used for active fetch and execute tasks. The result is an infection that is “silent but deadly,” as affected websites continue to function normally for most visitors while only a minority are exposed to malicious payloads.
Evolution of Detour Dog
According to Infoblox, Detour Dog’s infrastructure has shifted in recent months from simple scams distributed via affiliate advertising networks to the deployment of StarFish, a backdoor used to install the Strela Stealer malware. Strela Stealer is operated by another threat group identified as Hive0145. Infoblox’s analysis suggests a strong affiliation between Detour Dog and various botnet providers involved in the distribution of Strela Stealer.
During June and July 2025, campaigns delivered through both REM Proxy-a MikroTik-based botnet-and Tofsee botnets were attributed to Detour Dog. The research suggests that these activities were conducted exclusively by this actor, who, at the time, was providing services for Hive0145 and using the botnets to distribute spam and carry out malicious tasks.
“It is believed that Detour Dog was the sole source of the campaigns seen in this time frame, providing a service for Hive0145, and using the botnets for spam delivery. Over 69 per cent of the reported staging domains from these campaigns are Detour Dog controlled. This new research implies those domains did not host the stage but instead were a DNS relay.”
Novel techniques and persistence
The research describes how Detour Dog incorporates novel techniques by using DNS TXT records for covert command and control infrastructure. This approach enables infected sites to fetch and run malicious scripts while obscuring the actual staging hosts and making investigations more difficult. The malware technique is likened to a game of three card Monte, due to the level of misdirection and obfuscation deployed.
Evidence suggests that sites can remain compromised for periods exceeding a year due to the stealthy, server-side logic of the malware. Because normal visitors only rarely encounter the malicious payloads, infections often go unnoticed for extended periods.
“Detour Dog turns routine web traffic into business risk. Traditional endpoint tools may miss the server-side DNS tasking, so the most reliable choke point is at the DNS and network layer. These findings demonstrate that DNS isn’t just a tool for tracking adversaries – it’s a frontline mechanism for disrupting attacks before they reach users or enterprises. However, the effectiveness of any DNS defence depends entirely on the quality and specificity of the threat intelligence it leverages. As attackers evolve their methods, only DNS-layer visibility and intelligence tailored to these threats can keep pace with the shifting landscape.”
Detection challenges
The use of server-side logic complicates detection and mitigation for website owners and enterprise security teams. Since the malicious activity is often only triggered during certain user sessions, and with the majority of DNS requests performing no harmful action, standard endpoint security and monitoring tools may fail to catch the compromise.
The research highlights the need for organisations to focus on DNS and network layer monitoring. Infoblox’s findings suggest that only DNS-layer enforcement and threat intelligence specific to these evolving adversary techniques will be effective in countering such campaigns.
