A threat actor dubbed Detour Dog has used DNS-based server-side TXT records to conditionally redirect compromised websites and, more recently, to deliver remote-executed payloads by returning Base64-encoded “down” URLs that instruct infected sites to curl and relay staged malware from Strela/StarFish infrastructure. This campaign has been tied to distribution chains involving REM Proxy, Tofsee, Help TDS, Monetizer, and Los Pollos affiliate IDs and persisted across thousands of sites and many registrars despite sinkholing efforts. #DetourDog #StrelaStealer
Keypoints
- Detour Dog operates DNS TXT-based C2 that server-side queries from infected websites use to decide whether to show benign content, redirect to scams, or execute remote code via returned “down” URLs.
- Since June 2025 the actor has returned Base64-encoded TXT responses containing “down” prefixed URLs, causing compromised sites to curl remote PHP endpoints and relay their output to victims.
- Detour Dog infrastructure hosted or relayed staging for StarFish backdoor and Strela Stealer; analysis shows significant overlap between Detour Dog TXT responses and Hive0145/Strela C2 domains.
- Distribution chains included spam delivery by REM Proxy (MikroTik botnet) and Tofsee, with Detour Dog-hosted domains used as first-stage hosts and redirectors like advertipros[.]com and flow-distributor[.]com.
- Sinkholing of webdmonitor[.]io and aeroarrows[.]io by Shadowserver revealed ~30,000 infected hosts across 584 TLDs and tens of millions of TXT queries, including high-volume bot-like traffic and encoded IPs inconsistent with human users.
- Detour Dog has a long history (tracked back to 2020) of using affiliate networks (Help TDS, Monetizer, Los Pollos/Taco Loco) and unique tracking identifiers to connect activity across campaigns and TDS flows.
- Attempts to remediate via registrar reporting had limited effect; the actor quickly re-established C2 domains and continued operations, demonstrating resilience and use of bulletproof hosting/providers.
MITRE Techniques
- [T1071] Application Layer Protocol – DNS TXT records were used as a command-and-control channel to deliver commands and URLs: “responses to TXT record queries are Base64-encoded and explicitly include the word ‘down’ to trigger this new action.”
- [T1105] Ingress Tool Transfer – Remote PHP endpoints (e.g., script.php, file.php) were fetched by compromised sites via curl to retrieve next-stage payloads: “the ‘down’ command instructs the infected site to request the specified URL with curl and pass the output… into the body of the response to the victim.”
- [T1020] Automated Exfiltration (covert relay behavior) – Compromised sites relay outputs from C2 servers to victims, effectively moving malicious content through intermediary hosts: “…the compromised site acts as a relay for the C2, passing the output from the C2 server to the client.”
- [T1498] Domain Generation Algorithms / DNS-based Evasion – Use of specially formatted DNS queries embedding visitor info and type fields to elicit tailored TXT responses and evade detection: “the query format… ….c2_domain … the actor began encoding information about the client device type.”
- [T1041] Exfiltration Over C2 Channel (DNS) – DNS queries included encoded visitor IPs and identifiers, and TXT responses contained encoded C2 URLs used to coordinate multi-stage delivery: “we analyzed over 4 million TXT records… The TXT responses are Base64 encoded and currently have the form https:///?.”
- [T1090] Proxy (use of third-party compromised sites and redirectors) – Threat actor used compromised websites and redirector domains to obscure origin of malicious payloads and relay content: “compromised sites also appeared to host the first stage of the information stealer… the compromised site acts as a relay.”
Indicators of Compromise
- [Domains] redirectors and C2/infrastructure – advertipros[.]com, flow-distributor[.]com, and other redirector domains used in TXT responses; aeroarrows[.]io, webdmonitor[.]io, infosystemsllc[.]com, updatemsdnserver[.]com, updatemssoft[.]com, thinkpadwork[.]com (and others listed)
- [IP Addresses] malware C2 / hosting – 176[.]65[.]138[.]152 (observed serving script.php/server.php), 95[.]164[.]123[.]57 (hosting updatemsdnserver[.]com and related domains)
- [File/Endpoint Names] staging and payload endpoints – script.php, file.php used as staging endpoints for StarFish/Strela delivery; example URLs: http://176[.]65[.]138[.]152/script.php?u=j6cwaj0h67, http://updatemsdnserver[.]com/script.php?u={id}
- [Domains seen in TXT/down responses] redirector and staging domains – thinkpadwork[.]com (decoded down URL), advertipros[.]com, infosystemsllc[.]com, flow-distributor[.]com, nupdate0625[.]com, msdnupdate[.]com
- [Compromised sites] example infected hosts – ywcanevada[.]org (hosted StarFish first-stage), yy[.]ua (observed high-volume queries and nwuutest types)