New research from Infoblox Threat Intel has provided detailed insights into the activities of a threat actor, named “Detour Dog”, responsible for compromising over 30,000 websites since 2020, evolving its strategy from basic scam redirects to distributing malware using DNS-based command-and-control methods.
Detour Dog has reportedly shifted its approach over time, starting with the use of affiliate advertisement networks to distribute scam redirects and progressing to the distribution of StarFish, a backdoor used to install Strela Stealer malware. This campaign is linked to the Hive0145 threat group and reveals an advanced level of operational coordination among cybercriminals.
Server-side approach
One key factor behind Detour Dog’s effectiveness is its use of server-side control for its campaigns. The attack mechanism resides on the server rather than the client, meaning that the actual website visited by most users appears normal. Only certain visitors, selectively determined based on parameters like geographic location and device type, are targeted for malicious redirection or code execution. This technique makes detection particularly difficult and allows infiltrations to persist for months or even more than a year without notice.
The compromised sites conduct DNS queries which encode specific visitor information such as IP address and device type. The attackers’ name servers then make decisions in real time, choosing which site visitors to target, while the majority experience no visible signs of compromise. According to Infoblox’s findings, malicious activity is relatively rare, with only about 9% of DNS queries resulting in user redirection and around 1% triggering a “fetch and execute” instruction for deploying malware, while 90% of queries receive a “do nothing” response.
Malware delivery evolution
As the campaign has evolved, Detour Dog’s infrastructure has played a significant role in distributing not only scam links but also new strains of malware. The StarFish backdoor, which enables the installation of Strela Stealer, has been widely delivered by leveraging existing botnet infrastructure, particularly REM Proxy, a MikroTik-based botnet and Tofsee botnets. These tactics, observed in the June-July 2025 period, demonstrate an explicit affiliation between Detour Dog and botnet providers, essentially creating a delivery service for Hive0145’s operations.
Infoblox research indicates that over 69% of the infrastructure involved in staging these attacks-domains associated with StarFish delivery-are directly controlled by Detour Dog. Rather than hosting the payloads, these domains typically function as relays, using DNS TXT records to covertly deliver commands and instructions to infected websites, which then carry out the attackers’ intentions server-side.
Challenges and risks
Detour Dog turns routine web traffic into business risk. Traditional endpoint tools may miss the server-side DNS tasking, so the most reliable choke point is at the DNS and network layer.
The research findings demonstrate that DNS isn’t just a tool for tracking adversaries, it’s a frontline mechanism for disrupting attacks before they reach users or enterprises. However, the effectiveness of any DNS defense depends entirely on the quality and specificity of the threat intelligence it leverages. As attackers evolve their methods, only DNS-layer visibility and intelligence tailored to these threats can keep pace with the shifting landscape.
Infoblox Threat Intel underscores the challenges posed by attacks that rely on server-side mechanisms, resulting in most security solutions at the endpoint remaining unaware of the compromise. This shift in attacker strategy means organisations must increasingly rely on DNS and network-based detection mechanisms to identify and respond to threats.
The scale of Detour Dog’s activities has at times resulted in peaks of more than two million DNS TXT record requests within an hour, highlighting the breadth of websites covertly involved in the campaign. Sites compromised by this approach remain at risk as long as server-side logic for these attacks is present, often going unnoticed for extended periods.
Detour Dog’s ability to mask its presence, perform selective targeting, and leverage infrastructure built around legitimate-seeming sites adds layers of complexity for defenders. As DNS continues to be a critical yet vulnerable part of internet infrastructure, the findings underline the importance of specialised threat intelligence and DNS-layer security in countering these forms of cyber risk.
