Don’t be too alarmed, but tens of thousands of legitimate websites around the world are now quietly doing the bidding of cybercriminals.
Behind what looks like a normal homepage, malware is using the Domain Name System (DNS) – the same protocol that basically “runs” the internet, translating web addresses into IP numbers – to secretly contact attacker-controlled servers and decide who gets redirected, infected, or left alone.
What’s left is an invisible layer of compromise that most visitors, and even many security tools, will never detect.
Vice President of Threat Intel for Infoblox.
The culprit, which our researchers named “Detour Dog,” is a long-running malware operation that has cunningly evolved from running advertising scams into distributing powerful information-stealing malware. The genius of this campaign lies in misdirection and disguise.
The site you see when you’re browsing the internet may look fine, but the one your browser talks to behind the scenes might be “fetching” commands from a criminal infrastructure halfway across the world – hence the “Detour Dog” label.
In recent months, that infrastructure has been used to deliver Strela Stealer, where infected attachments in emails trigger the hidden DNS channel to fetch and execute malware.
Detour Dog’s reach is quite staggering. More than 30,000 websites have been compromised, collectively generating millions of DNS TXT record queries per hour, each one a potential signal for remote code execution or redirection.
Because the malicious logic runs on the web server itself, it leaves no visible trace on the user’s machine. Most visits appear entirely legitimate. Only a small fraction, roughly one in ten, trigger any kind of malicious action at all, which makes it extraordinarily difficult to detect or reproduce.
What we’re seeing is a stealth campaign that can persist for more than a year on the same domain, quietly siphoning data, redirecting traffic, and weaponizing one of the Internet’s most trusted systems – DNS – against itself.
Are you watching closely?
Almost as old as the internet itself, DNS is the system that translates a name like TechRadar.com into the numeric address your browser needs to connect to it. When created it was not designed with the security challenges of 2025 in mind, and that’s a persistent problem, but Detour Dog has found a way to completely weaponize it.
Instead of using DNS to resolve legitimate queries, the malware uses it as a covert command channel, hiding instructions in so-called “TXT records” – fields normally used for harmless configuration data or email verification.
When a compromised website makes one of these DNS queries, the attacker’s name server replies with a coded message: sometimes to “do nothing,” sometimes to redirect the visitor elsewhere, and occasionally to fetch and execute malicious content.
Because all of this happens server-side, it’s invisible to the person browsing the site and almost impossible for traditional endpoint protection to spot. Your virus protection software is no good here.
It’s incredibly pervasive, but it’s also surprisingly simple. By turning the DNS lookup itself into the mechanism for control, Detour Dog avoids the usual red flags of a standard malware infection. There are no suspicious downloads, no pop-ups, no new processes to analyze – just a website quietly following instructions that it shouldn’t.
It’s the digital equivalent of a sleight-of-hand trick: while defenders are watching one hand of the magician, the real action happens up their sleeve or behind their back.
The result is a card-trick of malware distribution, where every request looks legitimate and the true location of the payload is always one step removed from where anyone expects it to be.
From scamming to stealing
When Detour Dog first surfaced, its purpose seemed almost petty in comparison with other attacks. The infected sites “simply” redirected users to online scams and fake CAPTCHA pages designed to harvest clicks and ad revenue. But sometime in late 2024, the operation took a darker turn.
The same infrastructure that once funneled traffic to dubious advertising networks began acting as a delivery platform for serious malware.
By mid-2025, it was being used to distribute Strela Stealer, an information-stealing program spread via malicious email attachments that can exfiltrate browser data, saved credentials, and system information.
Detour Dog does not host the malware directly. Instead, it acts as a DNS relay, quietly fetching remote payloads from attacker-controlled servers and serving them through the compromised website itself.
So, what even is Detour Dog, you ask? That is still a tough question. It is unknown whether Detour Dog is a service provider or simultaneously operating campaigns of their own. But we know that the threat actor allowed other actors such as the infamous Hive0145 to distribute their own payloads through Detour Dog’s channels.
Our team found that more than two-thirds of the staging domains linked to these campaigns were controlled by Detour Dog, suggesting that the operation has effectively offered delivery for hire.
For ordinary users like you and me, this means that a single click on a seemingly safe website or a legitimate-looking invoice email could trigger an invisible chain reaction: a DNS request, a remote execution command, and finally, a silent infection that could result in your data being stolen.
Spam, botnets, and the new criminal supply chain
Email remains one of the key triggers for many of these chains. Malicious attachments (often fake invoices or similar) kick off a multi-stage process that doesn’t always fetch the final “payload” directly from the document.
Instead, those attachments point to compromised domains that consult Detour Dog’s name servers for instructions, turning a simple click into a server-side download and relay.
In the campaigns we and external researchers examined, REM Proxy (a MikroTik-based botnet) and Tofsee handled mass delivery, while Detour Dog supplied the sticky hosting and DNS relays that masked the malware’s true origin.
The outcome is apparently an “as-a-service” economy: one group sends the spam, another supplies resilient hosting and DNS C2, and a third (for example, the Strela Stealer operators Hive0145) supplies the payload.
Our analysis found roughly 69% of reported staging domains during the observed timeframe were under Detour Dog control, suggesting the infrastructure was being rented or reused as a delivery backend rather than serving a single campaign.
That division of labor makes takedowns and attribution harder, because if you remove one node the operators quickly reroute or stand up replacements, and it forces defenders to respond across email filtering and DNS-layer intelligence to block covert TXT-record commands before they trigger downstream.
Detour Dog is a reminder that some of the most dangerous threats can linger just a click away. By utilizing DNS itself, attackers have found a way to turn everyday web traffic into a covert delivery system for malware and data theft. The only way to counter it is to treat DNS as a frontline defense layer.
We’ve featured the best online cybersecurity course.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
link