The threat actor named Detour Dog was kicked out as a powerful campaign to distribute an information steeler known as Strela Stealer.
This is according to Infoblox’s finding threat actors to maintain control over the domain hosting a backdoor called Staterfish, the first stage in Stealer.
DNS threat intelligence company said it was tracking detour dogs in August 2023. Sucuri, owned by Godaddy, disclosed details of the attack targeting WordPress sites, embed malicious JavaScript using DNS TXT records as a communication channel for the Traffic Delivery System (TDS), redirecting site visitors to Sackey sites and malWarw. The traces of the threatening actor date back to February 2020.
“Traditionally these redirects have led to scams, but malware has recently evolved and has run remote content via DNS-based command and control (C2) systems,” Infoblox said. “We are tracking threat actors who control this malware as a bypass dog.”
According to the company, the infrastructure owned by detour dogs is used to host human rafish, a simple reverse shell that acts as a conduit for the strel laurel. In a report published in July 2025, IBM X-Force said that backdoors will be delivered by malicious SVG files with the aim of allowing permanent access to infected machines.
Since at least 2022, HIVE0145, a threat actor only behind the Strela Stealer campaign, has been rated financially motivated, operating as an early access broker (IAB), gaining access to compromised systems and selling them.
An analysis of Infoblox revealed that at least 69% of confirmed starfish staging hosts are under the control of detour dogs, and that Mikrotik Botnet, advertised as Lem Proxy, is driven by SystemBC, as revealed by Lumen’s Black Lotus Labs.
Specifically, it has been revealed that spam email messages distributed across Strela Stealer originated from another botnet called Rem Proxy and Tofsee, the latter being propagated in the past via a C++-based loader called Privateloader. In both cases, detour dog infrastructure hosted the first phase of the attack.
“The botnet was signed to deliver spam messages, and the detour dogs were signed to deliver malware,” Dr Renée Burton, vice president of threat intelligence at Infoblox, told Hacker News.
Additionally, detour dogs to promote the distribution of steelers via DNS TXT records have been modified so that threat and controlled DNS name servers parse specially formatted DNS queries from compromised sites and respond with remote code execution commands.
When it comes to getting new infrastructure, the detour dog’s trick is to leverage vulnerable WordPress sites to perform malicious code injections, but the company says the way it does is continuing to evolve.
A notable aspect of the attack is that the compromised websites usually function 90% of the time, thus not raising a red flag and allowing the malware to last for a long time. However, in the selected instance (approximately 9%), site visitors will be redirected to scam via Help TDS or Manager TDS. In a much rarer scenario (1%), the site receives a remote file execution command. It is believed that redirects are restricted in bids to avoid detection.
This development is only marked when detour dogs are discovered to distribute malware. This is a transition from acting as an entity solely responsible for traffic to Los Pollos, a malicious ad technology company operating under Vextrio Viper Umbrella.
“We think it evolved from fraud to include the distribution of malware for financial reasons,” Burton said. “There’s been a big focus in the security industry over the past 12-18 months to stop the types of scams that dogs have supported in the past. We can’t confirm that, but I believe they’ve made less money.”
Complementing these changes is the fact that the malware on the websites used by Detour Dog has witnessed its own evolution and gained the ability to command infected websites to execute code from remote servers.
As of June 2025, the response could instruct infected sites to retrieve PHP script output from a validated Strela Stealer C2 server, potentially dispersing malware.
“The response to the TXT record query is Base64 encoded and explicitly includes the word ‘Down’ to trigger this new action,” the company says. “We believe that we created a new network malware distribution model using DNS where different stages are fetched from different hosts under threat actor control and users are relayed back when they interact with campaign temptations, e.g. email attachments.
“This new setup allows attackers to hide their identity behind the compromised website, making the operation more resilient, and during that time it can help mislead threat hunters as malware is not where the attachments analyzed are shown to be hosted.”
The entire series of actions unfolds as follows:
The victim opens a malicious document and launches an SVG file that reaches the infected domain. The compromised site sends TXT record requests via DNS to the detour dog C2 server. The name server removes the minification site and uses urishise. The downloader that sends the downloader to the client (i.e., the victim) initiates a call to another compromised domain. The second compromised domain sends a similar DNS TXT query to the bypass dog C2 server. A compromised domain acts as a relay for sending malware to the client (i.e., victims)
Infoblox said it will work with Shadowserver Foundation to cave in two of the Detour Dog C2 domains (Webdmonitor[.]io and aeroarrows[.]io) July 30th and August 6th, 2025.
The company also noted that threat actors are likely to act as distribution as a service (DAAS) provider, adding that evidence of “clearly unrelated files” propagated through the infrastructure has been found. However, he pointed out that “we were unable to verify what was delivered.”
Source link
