Ethical Hacking News
Detour Dog, a threat actor known for forwarding traffic to malicious sites, has been found to be powering campaigns distributing an information stealer called Strela Stealer. According to Infoblox, Detour Dog's modus operandi involves exploiting vulnerable WordPress sites and using DNS TXT records to facilitate malware distribution. The development marks a significant shift in Detour Dog's tactics, as the threat actor has been found to be powering campaigns distributing malware. With at least 69% of confirmed StarFish staging hosts under the control of Detour Dog, the threat actor poses a significant risk to users.
Detour Dog is powering campaigns distributing an information stealer called Strela Stealer. The threat actor has evolved from forwarding traffic to Los Pollos, a malicious advertising technology company. Detour Dog's modus operandi now involves exploiting vulnerable WordPress sites for malicious code injections. The threat actor is distributing Strela Stealer via DNS TXT records with remote code execution commands. At least 69% of confirmed StarFish staging hosts were under the control of Detour Dog. A MikroTik botnet advertised as REM Proxy was also part of the attack chain. The evolution of Detour Dog is believed to be financially motivated, with malware distribution being a new tactic.
The cybersecurity world has been abuzz with the recent discovery of a threat actor known as Detour Dog, who has been found to be powering campaigns distributing an information stealer known as Strela Stealer. According to findings from Infoblox, a DNS threat intelligence firm, Detour Dog has been maintaining control of domains hosting the first stage of the stealer, a backdoor called StarFish.
Detour Dog's modus operandi when it comes to acquiring new infrastructure is by exploiting vulnerable WordPress sites to perform malicious code injections. However, the methods have since continued to evolve. The threat actor has been found to facilitate the distribution of Strela Stealer via DNS TXT records, with the threat actor-controlled DNS name servers modified to parse specially formatted DNS queries from compromised sites and respond to them with remote code execution commands.
The attack chain unfolds as follows: a victim opens a malicious document, launching an SVG file that reaches out to an infected domain. The compromised site sends a TXT record request to the Detour Dog C2 server via DNS. The name server responds with a TXT record containing a Strela C2 URL, prefixed with "down." The compromised site removes the down prefix and uses curl to possibly fetch the StarFish downloader from the URL. The compromised site acts as a relay to send the downloader to the client (i.e., the victim). The downloader initiates a call to another compromised domain, which sends a similar DNS TXT query to the Detour Dog C2 server. The name server responds with a new Strela C2 URL, again prefixed with "down." The second compromised domain strips the prefix and sends a curl request to the Strela C2 server to fetch StarFish.
Infoblox's analysis has revealed that at least 69% of confirmed StarFish staging hosts were under the control of Detour Dog. Additionally, a MikroTik botnet advertised as REM Proxy – which is powered by SystemBC, as uncovered by Lumen's Black Lotus Labs last month – was also part of the attack chain.
The development marks the first time Detour Dog has been spotted distributing malware, a shift from acting as an entity responsible for exclusively forwarding traffic to Los Pollos, a malicious advertising technology company operating under the VexTrio Viper umbrella. The threat actor's evolution into malware distribution is believed to be financially motivated, with Infoblox suggesting that Detour Dog may have evolved from scams to include malware distribution.
Infoblox's vice president of threat intelligence, Dr. Renée Burton, stated, "We suspect that they evolved from scams to include malware distribution for financial reasons." The company noted that the website malware used by Detour Dog has witnessed an evolution of its own, gaining the ability to command infected websites to execute code from remote servers.
The entire sequence of actions unfolds as follows: a victim opens a malicious document, launching an SVG file that reaches out to an infected domain. The compromised site sends a TXT record request to the Detour Dog C2 server via DNS. The name server responds with a TXT record containing a Strela C2 URL, prefixed with "down." The compromised site removes the down prefix and uses curl to possibly fetch the StarFish downloader from the URL. The compromised site acts as a relay to send the downloader to the client (i.e., the victim). The downloader initiates a call to another compromised domain, which sends a similar DNS TXT query to the Detour Dog C2 server. The name server responds with a new Strela C2 URL, again prefixed with "down." The second compromised domain strips the prefix and sends a curl request to the Strela C2 server to fetch StarFish.
The development marks a significant shift in Detour Dog's tactics, as the threat actor has been found to be powering campaigns distributing malware. According to Infoblox, at least 69% of confirmed StarFish staging hosts were under the control of Detour Dog. Additionally, a MikroTik botnet advertised as REM Proxy – which is powered by SystemBC, as uncovered by Lumen's Black Lotus Labs last month – was also part of the attack chain.
The evolution of Detour Dog into malware distribution is believed to be financially motivated, with Infoblox suggesting that Detour Dog may have evolved from scams to include malware distribution. The company noted that the website malware used by Detour Dog has witnessed an evolution of its own, gaining the ability to command infected websites to execute code from remote servers.
Detour Dog's modus operandi when it comes to acquiring new infrastructure is by exploiting vulnerable WordPress sites to perform malicious code injections. However, the methods have since continued to evolve. The threat actor has been found to facilitate the distribution of Strela Stealer via DNS TXT records, with the threat actor-controlled DNS name servers modified to parse specially formatted DNS queries from compromised sites and respond to them with remote code execution commands.
The entire sequence of actions unfolds as follows: a victim opens a malicious document, launching an SVG file that reaches out to an infected domain. The compromised site sends a TXT record request to the Detour Dog C2 server via DNS. The name server responds with a TXT record containing a Strela C2 URL, prefixed with "down." The compromised site removes the down prefix and uses curl to possibly fetch the StarFish downloader from the URL. The compromised site acts as a relay to send the downloader to the client (i.e., the victim). The downloader initiates a call to another compromised domain, which sends a similar DNS TXT query to the Detour Dog C2 server. The name server responds with a new Strela C2 URL, again prefixed with "down." The second compromised domain strips the prefix and sends a curl request to the Strela C2 server to fetch StarFish.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Detour-Dog-A-DNS-Powered-Malware-Factory-for-Strela-Stealer-ehn.shtml
https://thehackernews.com/2025/10/detour-dog-caught-running-dns-powered.html
Published: Fri Oct 3 13:48:28 2025 by llama3.2 3B Q4_K_M
