“Detour Dog” Exploits DNS TXT Records to Deliver Strela Stealer Malware
October 15th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring an active campaign distributing Strela Stealer, linked to an actor identified as Detour Dog. Detour Dog operates a DNS-based command-and-control (C2) and traffic distribution system (TDS) that uses compromised websites as relay points. The group manages DNS name servers that respond to specially formatted TXT queries with Base64-encoded responses prefixed by the token "down." These responses instruct compromised sites to fetch and relay secondary payloads, creating a chain from the StarFish downloader to Strela Stealer. Detour Dog’s infrastructure hosted most of the StarFish staging hosts observed in mid-2025 and coordinated with spam botnets such as REM Proxy and Tofsee to deliver malicious SVG lures. Two C2 domains operated by Detour Dog, webdmonitor[.]io and aeroarrows[.]io, were sinkholed by Shadowserver in late July and early August 2025.
Technical Details
Attack Type: DNS-powered, multistage web-relay and information-stealing campaign using compromised websites, Base64-encoded TXT responses, and chained downloaders.
Severity: High.
Kill Chain Summary:
Compromised Websites: Attackers compromise legitimate sites and insert malicious server-side logic that issues DNS TXT queries to Detour Dog-controlled name servers.
DNS TXT Trigger: The name servers return Base64-encoded TXT records beginning with down. When decoded, these instruct the compromised host to retrieve remote content.
Relay Fetch-and-Serve: The server strips the down prefix and uses curl (or equivalent) to fetch the StarFish downloader from a Detour Dog URL, then relays it to the victim.
Multi-Stage Chaining: Some stages fetch additional compromised domains that repeat the TXT → fetch → relay sequence, enhancing resiliency and obfuscation.
Spam / Botnet Delivery: REM Proxy and Tofsee distribute spam containing malicious SVGs or documents that direct victims to these compromised relay sites.
Document/SVG Execution: Opening a malicious document triggers the SVG to contact the compromised site, which performs the DNS TXT lookup and relay chain, ultimately dropping StarFish → Strela Stealer.
Impact
Stealthy Distribution: Legitimate, compromised domains act as trusted intermediaries, masking the true malware origin.
Novel DNS Delivery Model: Using TXT records as command and delivery triggers provides both resilience and detection evasion.
Persistent Infrastructure: Sites remain functional to avoid takedowns, prolonging campaign life.
Ecosystem Collaboration: Spam botnets enable scalable distribution while web relays handle payload delivery.
Commercial Distribution Model: Assessment—Detour Dog likely functions as a distribution-as-a-service (DaaS) provider supporting other threat groups, including the Strela Stealer operator (Hive0145).
Attribution Obfuscation: DNS-based relays and Base64-encoded command traffic obscure the actual C2 infrastructure.
Detection Method
DNS TXT Monitoring: Alert on frequent or anomalous TXT queries from web servers to external name servers returning Base64 data containing down.
Server Behavior Anomalies: Detect web servers making outbound DNS TXT lookups or issuing curl/HTTP fetches to binary URLs.
Relay Patterns: Identify sites that download executables then immediately serve them to end users.
Spam Correlation: Correlate REM Proxy / Tofsee spam telemetry with subsequent traffic to compromised domains.
Endpoint Monitoring: Watch for document/SVG-triggered chains invoking network activity that aligns with the StarFish → Strela sequence.
Honeypot / Sinkhole Telemetry: Capture TXT responses and payload URLs to enumerate staging hosts.
Content Inspection: Flag Base64 DNS responses containing command tokens when followed by outbound fetches.
Indicators of Compromise
Domain |
webdmonitor[.]io |
aeroarrows[.]io |
infosystemsllc[.]com |
ecomicrolab[.]com |
flow-distributor[.]com |
advertipros[.]com |
Recommendations
Harden Public Web Assets: Patch vulnerable CMS components, plugins, and themes; monitor for unauthorized code changes.
Monitor DNS TXT Activity: Enable DNS logging for outbound TXT queries from web servers; alert on Base64 responses containing down.
Restrict Server-Side Fetches: Limit or audit outbound HTTP(S) requests (e.g., block unexpected curl usage).
Remediate Compromised Relays: Scan webroots and temp dirs for injected scripts performing DNS queries or fetches.
Coordinate Takedowns / Sinkholes: Share IOCs with registrars, hosting providers, and CERTs to disrupt Detour Dog infrastructure.
Enhance Email Defenses: Strengthen spam filtering against REM Proxy / Tofsee delivery; quarantine SVG-based attachments.
Correlate Multi-Source Telemetry: Integrate spam, DNS, web, and endpoint data to identify cross-stage infection patterns.
Conclusion
The Detour Dog campaign represents a significant evolution in malware delivery, fusing DNS TXT-based command channels with compromised web relays to distribute Strela Stealer. Its modular architecture, Base64-encoded TXT responses, chained fetch-and-relay stages, and spam-driven lures create a resilient and covert distribution network. We urge organizations to prioritize patching, monitor DNS TXT behavior, restrict server outbound fetches, and coordinate domain-level takedowns to mitigate risks associated with this emerging DNS-powered malware campaign.