Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer
Briefly

Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer
"The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when GoDaddy-owned Sucuri disclosed details of attacks targeting WordPress sites to embed malicious JavaScript that used DNS TXT records as a communication channel for a traffic distribution system (TDS), redirecting site visitors to sketchy sites and malware. Traces of the threat actor date back to February 2020."
"In a report published in July 2025, IBM X-Force said the backdoor is delivered by means of malicious SVG files with the goal of enabling persistent access to infected machines. Hive0145, the threat actor exclusively behind Strela Stealer campaigns since at least 2022, is assessed to be financially motivated and is likely operating as an initial access broker (IAB), acquiring and selling access to compromised systems for profit."
Detour Dog controls domains hosting the first-stage StarFish backdoor used to deliver the Strela Stealer information stealer. Tracking of Detour Dog activity goes back to February 2020, with notable escalation observed since August 2023 through WordPress compromises that embedded malicious JavaScript and leveraged DNS TXT records as a traffic distribution system. Redirects progressed from scam sites to executing remote content via a DNS-based command-and-control mechanism. StarFish functions as a simple reverse shell conduit for Strela Stealer and can be delivered via malicious SVG files to enable persistent access. Hive0145 operates Strela Stealer campaigns as a financially motivated initial access broker. A MikroTik/REM Proxy botnet powered by SystemBC was part of the attack chain.
Read at The Hacker News
Unable to calculate read time
[
|
]