{ "id": "b46a05a6-9bcb-4d8d-a9fa-9a67c99fd795", "created_at": "2026-04-06T00:18:25.376981Z", "updated_at": "2026-04-10T13:11:26.735032Z", "deleted_at": null, "sha1_hash": "369ca7e14a828ba86cccb46b7d10e14197b55353", "title": "DNS Beacons", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51689, "plain_text": "DNS Beacons\r\nBy DigiCert Team\r\nPublished: 2025-01-23 · Archived: 2026-04-05 14:35:35 UTC\r\nAs security operations centers (SOCs) have enhanced their capabilities in detecting malware command and control\r\n(C2) activities, the landscape of cybersecurity has evolved significantly. Initially, SOCs relied on signature-based\r\ndetection methods, which could only identify known threats. Over time, advancements in threat intelligence and\r\nthe integration of machine learning have enabled SOCs to detect and respond to previously unknown attack\r\npatterns. This continuous improvement in threat detection forced cybercriminals to innovate novel methods to\r\nmaintain stealth. One such technique is DNS beaconing—a stealthy method used by attackers to maintain control\r\nover compromised systems via command and control (C2) servers. This article will demystify DNS beaconing,\r\nexplain its intricacies, and provide actionable insights to help business professionals and organizations protect\r\nagainst this cybersecurity threat.\r\nWhat Are DNS Beacons?\r\nDNS beacons are a technique employed by malware to establish and sustain a persistent connection with a C2\r\nserver. This process relies on the DNS protocol as a communication channel between the compromised system\r\nand the attacker’s server. Unlike other forms of DNS abuse that target the DNS infrastructure itself, DNS\r\nbeaconing utilizes DNS as a transfer medium, allowing the attackers to operate under the radar without directly\r\nattacking the DNS system.\r\nOn the surface, DNS beaconing seems like DNS tunneling. However, a huge differentiator is its low-frequency\r\ncommunication pattern. This means that the malware interacts with the C2 server infrequently, making it difficult\r\nfor traditional intrusion detection systems to identify the beaconing activity. By disguising their connections as\r\nbenign DNS requests, cybercriminals have a fallback mechanism when their primary command and control is\r\ndisabled and can continue to execute commands and exfiltrate data from the compromised system without raising\r\nalarms.\r\nHow Do DNS Beacons Happen?\r\nDNS beaconing typically involves several stages to execute successfully. Initially, malware infiltrates a target\r\nsystem—often through phishing emails or exploit kits. Once inside, the malware establishes a communication\r\nchannel with its C2 servers through HTTP, HTTPS, or DNS queries.\r\nThroughout normal operation, the malware communicates with its C2 servers to receive commands and attack\r\npayloads and to exfiltrate data. These packets can be encrypted, making it challenging for security professionals to\r\nanalyze the traffic and understand its true nature. The C2 server can then send commands back to the malware,\r\ndirecting it to carry out various malicious activities on the compromised system.\r\nhttps://vercara.digicert.com/resources/dns-beacons#page_top\r\nPage 1 of 5\n\nHowever, when malware frequently communicates with its C2 servers and performs network-intensive operations\r\nsuch as data exfiltration, that conversation is easier to detect and is blocked by SOC operations staff. As a result,\r\nmalware developers started to add resiliency measures to keep control of their malware. One of those methods is\r\nDNS beaconing.\r\nIn DNS beaconing, malware uses DNS tunneling as a backup communications channel which it only uses when\r\nthe primary communications have failed. They then typically transmit instructions to the malware to allow it to\r\nreconnect with their primary C2 and then go dormant. Some DNS beacons might only be used less than once a\r\nmonth or only when the primary C2 is unavailable.\r\nThis continuous primary and backup command and control setup allows attackers to maintain control over the\r\nsystem while evading detection by security measures that rely on identifying frequent or large data transfers.\r\nDNS beaconing can also use domain generation algorithms (DGAs) and fast flux. DGAs generate many semi-random domains that malware-infected machines will try to connect to as a means to establish communication\r\nchannels with C2 servers. Fast flux is a technique to modify DNS resource records rapidly using IP addresses of\r\nlegitimate infrastructure providers in addition to the malware C2 IP addresses in a way to gain a positive\r\nreputation score for the domain. These techniques allow attackers to quickly switch between different domains in\r\ncase one gets detected or taken down by security measures.\r\nExamples of DNS Beacons\r\nDNS beaconing is not just a theoretical risk; it is a real-world threat with numerous documented cases. For\r\ninstance, Cobalt Strike’s DNS Beacon feature leverages DNS requests to communicate with a C2 server. This\r\nCobalt Strike payload uses DNS lookups against domains that the attacker’s server has authority over. The DNS\r\nresponse then instructs the Beacon to either remain dormant or connect to the C2 server to receive tasks.\r\nNumerous malware and attack groups have used DNS beaconing:\r\nAPT32 (OceanLotus): Known for targeting entities in Southeast Asia, APT32 used DNS beaconing as a\r\nsecondary method of communication with its command-and-control infrastructure, ensuring continued\r\naccess even if primary channels were disrupted.\r\nAPT29 (Cozy Bear): This high-profile group, suspected of being linked to Russian intelligence, has\r\nutilized DNS-based communications to maintain a resilient connection with compromised nodes, allowing\r\nfor stealthy data exfiltration and remote control.\r\nSunburst (SolarWinds Hack): Notably, the malware used in the SolarWinds attack incorporated DNS\r\nbeaconing to discreetly communicate with its C2 servers, allowing attackers to receive commands and\r\ncarry out espionage activities across high-value network segments.\r\nZloader: A banking Trojan that has employed DNS beacons to update its C2 server configurations\r\ndynamically, ensuring persistence and adaptability in its operations across infiltrated networks.\r\nPlugX: This modular malware family has been observed using DNS-based tactics for C2 communication,\r\nallowing operators to manage compromised systems across Asia while evading detection through more\r\nconventional monitoring approaches.\r\nhttps://vercara.digicert.com/resources/dns-beacons#page_top\r\nPage 2 of 5\n\nHow DNS Beacons Impact Your Business\r\nDNS beaconing is intricately linked with malware, and its impact can be just as severe. When an attacker\r\nsuccessfully compromises your network and employs DNS beacons, they can maintain a persistent and covert\r\nconnection to their command-and-control infrastructure. This allows them to carry out various malicious activities\r\nover extended periods without being detected. Such activities may include data exfiltration, where sensitive\r\ninformation is stolen and transferred outside the network, lateral movement within the network to access\r\nadditional systems and resources, and the installation of additional malware to further entrench their presence.\r\nThis prolonged access can lead to devastating consequences, including data breaches, theft of intellectual property,\r\nand significant financial and reputational damage to the affected organization.\r\nThe use of DNS beaconing also presents a formidable challenge for incident response efforts. Traditional security\r\nsolutions, which often rely on signature-based detection, may not effectively detect or alert DNS-based\r\ncommunications. This makes it difficult for defenders to accurately identify and respond to these threats in a\r\ntimely manner. As a result, organizations may experience prolonged compromise, increased risk of sensitive data\r\ntheft, and further damage to their reputation due to delayed response and mitigation efforts.\r\nMoreover, the use of DNS beaconing can have additional impacts on business operations by adversely affecting\r\nnetwork performance. With a marked increase in DNS traffic resulting from beaconing activity, legitimate\r\nnetwork operations may experience delays or even disruptions. This can lead to operational inefficiencies,\r\nhampering productivity and potentially causing financial losses. The disruption of critical business processes due\r\nto slow network performance can have cascading effects, impacting customer satisfaction and business continuity.\r\nTo effectively combat the threat posed by DNS beaconing, organizations must adopt comprehensive security\r\nstrategies that include advanced detection techniques capable of identifying anomalous DNS traffic patterns.\r\nRegular network monitoring, threat intelligence, and employee awareness training should be part of an\r\norganization’s cybersecurity posture to minimize the risks associated with such sophisticated attacks.\r\nPreventing DNS Beacons\r\nDue to its stealthy nature, detecting DNS beaconing is challenging for traditional intrusion detection systems.\r\nHowever, there are some techniques that SOC operators and Cyber Threat Intelligence Teams can use to identify\r\nand mitigate this type of attack:\r\nUse Protective DNS. Protective DNS services, also known as managed DNS firewalls, can be instrumental in\r\nsafeguarding your network by preventing communication with malicious domains. These services work by\r\nmaintaining a constantly updated list of known malicious domains, which is compiled through extensive threat\r\nintelligence and monitoring. When a request is made to access a domain, the service cross-references it against\r\nthis list and blocks any that are identified as harmful. This proactive approach prevents potential cyber threats and\r\nhelps reduce the risk of data breaches and other security incidents. By incorporating Protective DNS into your\r\ncybersecurity strategy, you can enhance your network’s resilience against evolving online threats.\r\nEndpoint Security\r\nhttps://vercara.digicert.com/resources/dns-beacons#page_top\r\nPage 3 of 5\n\nImplement comprehensive endpoint security solutions that can effectively detect and neutralize malware. These\r\nsolutions should be capable of identifying malicious software that attempts to establish DNS beaconing channels\r\non individual systems. By doing so, they help protect against unauthorized data exfiltration and ensure the\r\nintegrity of the network’s endpoints. Regular updates and monitoring of these security systems are crucial to\r\nadapting to evolving threats and maintaining robust protection.\r\nMonitor DNS Traffic Patterns\r\nOrganizations should regularly monitor their network traffic for any unusual spikes or patterns in DNS activity\r\nthat could indicate beaconing or other suspicious activities. This monitoring can be achieved using specialized\r\ntools designed to analyze DNS traffic or through manual analysis of DNS logs. By establishing a baseline of\r\nnormal traffic patterns, organizations can more easily identify anomalies that may suggest malicious activity.\r\nImplement Domain Whitelisting\r\nBy creating and maintaining a comprehensive whitelist of approved and trusted domains, organizations can\r\nsignificantly limit the potential for unauthorized communication with outside entities. This approach helps to\r\ndetect attempts at DNS beaconing by blocking communications with domains that are unknown or unapproved.\r\nRegularly updating the whitelist ensures that it remains effective and relevant against evolving threats.\r\nEducate Employees on Social Engineering Tactics\r\nAttackers frequently use social engineering tactics to deceive employees and gain unauthorized access to an\r\norganization’s network, which can lead to DNS beaconing. Educating employees about these tactics—such as\r\nphishing emails, phone scams, or impersonation techniques—empowers them to recognize and respond\r\nappropriately to potential threats. Regular training sessions and awareness campaigns can reinforce this\r\nknowledge and help prevent successful attacks.\r\nUtilize Threat Intelligence\r\nStaying informed about the latest cyber threats and attack vectors is crucial for preparing defenses against DNS\r\nbeaconing attacks. Organizations should utilize reputable threat intelligence sources to gather information on\r\nemerging threats and share this intelligence with other organizations to create a collaborative defense strategy. By\r\nactively participating in information sharing, organizations can enhance their understanding of potential risks and\r\nimprove their ability to respond to new and sophisticated threats.\r\nRegular Software Updates\r\nIt is crucial to keep all software and systems consistently up to date as a proactive measure to safeguard against\r\nvulnerabilities. These vulnerabilities can be exploited by attackers to establish DNS beaconing channels, which\r\nare used to communicate with compromised systems. Regular updates ensure that known security flaws are\r\npatched, reducing the risk of unauthorized access and enhancing overall system security. By implementing a\r\nroutine update schedule, organizations can better protect their network infrastructure and maintain the integrity of\r\ntheir data.\r\nhttps://vercara.digicert.com/resources/dns-beacons#page_top\r\nPage 4 of 5\n\nThe Future of DNS Beaconing\r\nAs detection technology continues to evolve, so do the tactics employed by cybercriminals and the malware that\r\nthey use. DNS beaconing is just one example of how attackers adapt and abuse existing protocols to achieve their\r\ngoals. By understanding the nuances of DNS beaconing and implementing proactive defenses, businesses can\r\nprotect themselves against this insidious threat and operate safely on a hostile Internet.\r\nHow Digicert Can Help\r\nDigicert’s UltraDNS Detection and Response (UltraDDR) is a leading protective DNS solution that preemptively\r\nblocks malicious queries and maps adversary infrastructure. It offers proactive security by integrating recursive\r\nand private DNS technologies, ensuring protection for employees in any location. UltraDDR detects and blocks\r\nthreats in real time, intercepts malicious traffic, reduces security team burnout, enforces usage policies, and\r\nenhances security audits.\r\nFor further insights and resources on DNS beaconing and cybersecurity best practices, consider reaching out to\r\nour expert team for personalized guidance.\r\nSource: https://vercara.digicert.com/resources/dns-beacons#page_top\r\nhttps://vercara.digicert.com/resources/dns-beacons#page_top\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://vercara.digicert.com/resources/dns-beacons#page_top" ], "report_names": [ "dns-beacons#page_top" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434705, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/369ca7e14a828ba86cccb46b7d10e14197b55353.pdf", "text": "https://archive.orkl.eu/369ca7e14a828ba86cccb46b7d10e14197b55353.txt", "img": "https://archive.orkl.eu/369ca7e14a828ba86cccb46b7d10e14197b55353.jpg" } }