Detour Dog: DNS Malware Powers Strela Stealer Campaigns

Detour Dog is a widespread website malware campaign that uses server-side DNS TXT queries as a covert C2 and delivery mechanism to conditionally redirect visitors, execute remote code on compromised sites, and stage infostealer distribution (StarFish/ Strela Stealer). Sinkholing revealed ~30,000 infected hosts across hundreds of TLDs and tens of millions of TXT queries; the infrastructure uses redirector domains, affiliate TDS chains, and evolving TXT responses (including Base64-encoded “down” commands) to fetch and relay staged payloads while evading detection.