Detour Dog
A threat actor named Detour Dog recently emerged as the driving force behind campaigns distributing an information stealer known as Strela Stealer.
According to findings from Infoblox, the company discovered that Detour Dog controls domains hosting the first stage of the stealer, a backdoor called StarFish.
The DNS threat intelligence firm began tracking Detour Dog in August 2023, after GoDaddy-owned Sucuri disclosed attacks that targeted WordPress sites. These attacks embedded malicious JavaScript using DNS TXT records as a communication channel for a traffic distribution system (TDS), which redirected site visitors to sketchy websites and malware.
Investigators have traced the threat actor’s activity back to February 2020.
“While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system,” Infoblox said. “We are tracking the threat actor who controls this malware as Detour Dog.”
Infoblox also found that Detour Dog uses its own infrastructure to host StarFish, a simple reverse shell that acts as a conduit for Strela Stealer. In a report published in July 2025, IBM X-Force noted that the backdoor spreads through malicious SVG files designed to maintain persistent access to infected machines.
Strela Stealer
Meanwhile, Hive0145—the threat actor exclusively behind Strela Stealer campaigns since at least 2022—appears financially motivated and likely operates as an initial access broker (IAB), selling access to compromised systems for profit.
Through its analysis, Infoblox determined that Detour Dog controlled at least 69% of confirmed StarFish staging hosts. The company also discovered that a MikroTik botnet known as REM Proxy, powered by SystemBC and identified by Lumen’s Black Lotus Labs last month, formed part of the same attack chain.
Furthermore, investigators learned that spam email messages distributing Strela Stealer originated from both REM Proxy and another botnet named Tofsee. In previous campaigns, Tofsee spread through a C++-based loader called PrivateLoader. In both instances, Detour Dog infrastructure hosted the first stage of the attack.
“The botnets were contracted to deliver the spam messages, and Detour Dog was contracted to deliver the malware,” explained Dr. Renée Burton, vice president of threat intelligence at Infoblox, in a statement to The Hacker News.
Additionally, Detour Dog continues to facilitate Strela Stealer distribution through DNS TXT records. The threat actor modifies its DNS name servers to parse specially formatted DNS queries from compromised sites and respond with remote code execution commands.
Multiple attack vectors utilize Detour Dog-controlled assets
Detour Dog acquires new infrastructure by exploiting vulnerable WordPress sites and injecting malicious code. However, Infoblox noted that the threat actor’s methods have continued to evolve over time.
How it works?
A key feature of these attacks is their stealth. Compromised websites function normally about 90% of the time, raising no suspicion and allowing the malware to persist for long periods. In roughly 9% of cases, a site visitor gets redirected to a scam via Help TDS or Monetizer TDS. In much rarer situations—about 1%—the site receives a remote file execution command. Researchers believe the limited redirections help the attackers avoid detection.
Theorized attack chain utilizing DNS TXT records for C2
This development marks the first time Detour Dog has distributed malware, signaling a shift from its previous role of simply forwarding traffic to Los Pollos, a malicious advertising company operating under the VexTrio Viper umbrella.
“We suspect that they evolved from scams to include malware distribution for financial reasons,” Burton said. “There has been a great deal of focus in the security industry over the last 12-18 months to stop the type of scams Detour Dog has supported in the past. We believe they were making less money, though we can’t verify that.”
Malware evolving
Alongside this behavioral change, the website malware used by Detour Dog has also evolved. It can now command infected websites to execute code from remote servers.
By June 2025, the infected sites began retrieving PHP script outputs from verified Strela Stealer command-and-control (C2) servers, likely to distribute the malware. This finding suggests that Detour Dog now uses DNS both as a communication channel and a delivery mechanism.
“Responses to TXT record queries are Base64-encoded and explicitly include the word ‘down’ to trigger this new action,” the company explained. “We believe this has created a novel networked malware distribution model using DNS in which the different stages are fetched from different hosts under the threat actor’s control and are relayed back when the user interacts with the campaign lure, for example, the email attachment.”
“A novel setup like this would allow an attacker to hide their identity behind compromised websites, making their operations more resilient, meanwhile serving to mislead threat hunters because the malware isn’t really where the analyzed attachments indicate the stage is hosted.”
The entire attack chain unfolds as follows:
- The victim opens a malicious document, launching an SVG file that contacts an infected domain.
- The compromised site sends a TXT record request to the Detour Dog C2 server via DNS.
- The name server responds with a TXT record containing a Strela C2 URL, prefixed with “down.”
- The compromised site removes the “down” prefix and uses curl to fetch the StarFish downloader from the URL.
- The compromised site relays the downloader to the victim.
- The downloader then calls another compromised domain.
- That second domain sends a similar DNS TXT query to the Detour Dog C2 server.
- The Detour Dog name server responds with a new Strela C2 URL, again prefixed with “down.”
- The second compromised domain removes the prefix and sends a curl request to the Strela C2 server to fetch StarFish.
- Finally, the second compromised domain relays the malware to the victim.
Infoblox collaborated with the Shadowserver Foundation to sinkhole two of Detour Dog’s command-and-control domains—webdmonitor[.]io and aeroarrows[.]io—on July 30 and August 6, 2025.
Additionally, Infoblox reported that Detour Dog likely operates as a distribution-as-a-service (DaaS) provider. The company found evidence of an “apparently unrelated file” spread through Detour Dog’s infrastructure, though it acknowledged that it “couldn’t validate what was delivered.”
Source: TheHackerNews
Read more at Impreza News