New Infoblox Threat Intel research reveals that a long-running threat actor compromising websites, coined as “Detour Dog,” has evolved from scam redirects to deliver information stealing malware. This allows compromised sites to fetch and relay malicious execution output without any visible cues to the user, all using the domain name system (DNS) for command and control (C2). This server-side control means a webpage can look legitimate for most visitors while selectively targeting others based on location and device, placing users in the crosshairs. The sheer number of activities is astonishing: with peaks of over 2 million TXT requests in an hour.

The attack and concealment work because the server — not the client — makes queries that encode the visitor’s IP and device type. Attacker-controlled name servers then decide which users are redirected to scams, triggering a remote “download-and-run” instruction. Detour Dog’s success stems from its ability to operate in silence. Most of the time, there is no clear system compromise, and it’s difficult to reproduce their malicious redirections.

Key Findings

• Widespread: Over 30,000 websites are infected with Detour Dog malware, which uses DNS to selectively redirect users or execute remote code — all server-sided and invisible to users.
• Campaign Evolution: Detour Dog’s infrastructure has shifted from distributing scams via affiliate advertising networks to distributing StarFish, a backdoor that installs Strela Stealer malware, operated by Hive0145.
• Novel Techniques: Detour Dog uses DNS TXT records for covert command and control, enabling infected websites to fetch and run malicious scripts while hiding staging hosts behind compromised sites. The malware delivery technique is analogous to three card Monte: there is so much room for misdirection, the question becomes, where is the real malware?
• Persistence: Sites can stay compromised for over a year, as most visits look normal and only certain visitors are targeted. This is also because the attack logic runs server-side.
• Detection Challenge: Approximately 90 per cent of DNS queries from infected sites get a “do nothing” response— only a small fraction trigger malicious actions: bout 9 per cent are redirections and 1 per cent are fetch and execute tasks.
• Botnet Delivery: Strela Stealer campaigns were delivered in June-July 2025 via REM Proxy, a MikroTik-based botnet and Tofsee botnets, revealing an affiliation between Detour Dog at the botnet providers.
• Detour Dog at your Service: It is believed that Detour Dog was the sole source of the campaigns seen in this time frame, providing a service for Hive0145, and using the botnets for spam delivery. Over 69 per cent of the reported staging domains from these campaigns are Detour Dog controlled. This new research implies those domains did not host the stage but instead were a DNS relay.

Detour Dog turns routine web traffic into business risk. Traditional endpoint tools may miss the server-side DNS tasking, so the most reliable choke point is at the DNS and network layer. These findings demonstrate that DNS isn’t just a tool for tracking adversaries — it’s a frontline mechanism for disrupting attacks before they reach users or enterprises. However, the effectiveness of any DNS defence depends entirely on the quality and specificity of the threat intelligence it leverages. As attackers evolve their methods, only DNS-layer visibility and intelligence tailored to these threats can keep pace with the shifting landscape.

Read the full research here: https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/