A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer.
That's according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish.
The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when GoDaddy-owned Sucuri disclosed details of attacks targeting WordPress sites to embed malicious JavaScript that used DNS TXT records as a communication channel for a traffic distribution system (TDS), redirecting site visitors to sketchy sites and malware. Traces of the threat actor date back to February 2020.
"While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system," Infoblox said. "We are tracking the threat actor who controls this malware as Detour Dog."
Detour Dog-owned infrastructure, per the company, has been used to host StarFish, a simple reverse shell that serves as a conduit for Strela Stealer. In a report published in July 2025, IBM X-Force said the backdoor is delivered by means of malicious SVG files with the goal of enabling persistent access to infected machines.
Hive0145, the threat actor exclusively behind Strela Stealer campaigns since at least 2022, is assessed to be financially motivated and is likely operating as an initial access broker (IAB), acquiring and selling access to compromised systems for profit.
Infoblox's analysis has revealed that at least 69% of the confirmed StarFish staging hosts were under the control of Detour Dog, and that a MikroTik botnet advertised as REM Proxy – which, in turn, is powered by SystemBC, as uncovered by Lumen's Black Lotus Labs last month -- was also part of the attack chain.
Specifically, it has come to light that the spam email messages that distributed Strela Stealer originated from REM Proxy and another botnet dubbed Tofsee, the latter of which has been propagated via a C++-based loader called PrivateLoader in the past. In both cases, Detour Dog infrastructure hosted the first stage of the attack.
"The botnets were contracted to deliver the spam messages, and Detour Dog was contracted to deliver the malware," Dr. Renée Burton, vice president of threat intelligence at Infoblox, told The Hacker News.
What's more, Detour Dog has been found to facilitate the distribution of the stealer via DNS TXT records, with the threat actor-controlled DNS name servers modified to parse specially formatted DNS queries from the compromised sites and to respond to them with remote code execution commands.
Detour Dog's modus operandi when it comes to acquiring new infrastructure is by exploiting vulnerable WordPress sites to perform malicious code injections, although the company said the methods have since continued to evolve.
A notable aspect of the attack is that the compromised website functions normally 90% of the time, thereby raising no red flags and allowing the malware to persist for extended periods of time. In select instances (about 9%), however, a site visitor is redirected to a scam via Help TDS or Monetizer TDS; in a much rarer scenario (1%), the site receives a remote file execution command. It's believed that the redirections are limited in a bid to avoid detection.
The development marks the first time Detour Dog has been spotted distributing malware, a shift from acting as an entity responsible for exclusively forwarding traffic to Los Pollos, a malicious advertising technology company operating under the VexTrio Viper umbrella.
"We suspect that they evolved from scams to include malware distribution for financial reasons," Burton said. "There has been a great deal of focus in the security industry over the last 12-18 months to stop the type of scams Detour Dog has supported in the past. We believe they were making less money, though we can't verify that."
Complementing these changes is the fact that the website malware used by Detour Dog has witnessed an evolution of its own, gaining the ability to command infected websites to execute code from remote servers.
As of June 2025, the responses have directed the infected site to retrieve the output of PHP scripts from verified Strela Stealer C2 servers to likely distribute the malware -- suggesting the dual use of DNS as both a communication channel and a delivery mechanism.
"Responses to TXT record queries are Base64-encoded and explicitly include the word 'down' to trigger this new action," the company noted. "We believe this has created a novel networked malware distribution model using DNS in which the different stages are fetched from different hosts under the threat actor's control and are relayed back when the user interacts with the campaign lure, for example, the email attachment.
"A novel setup like this would allow an attacker to hide their identity behind compromised websites, making their operations more resilient, meanwhile serving to mislead threat hunters because the malware isn't really where the analyzed attachments indicate the stage is hosted."
The entire sequence of actions unfolds as follows -
- Victim opens a malicious document, launching an SVG file that reaches out to an infected domain
- The compromised site sends a TXT record request to the Detour Dog C2 server via DNS
- The name server responds with a TXT record containing a Strela C2 URL, prefixed with "down"
- The compromised site removes the down prefix and uses curl to possibly fetch the StarFish downloader from the URL
- The compromised site acts as a relay to send the downloader to the client (i.e., the victim)
- The downloader initiates a call to another compromised domain
- The second compromised domain sends a similar DNS TXT query to the Detour Dog C2 server
- The Detour Dog name server responds with a new Strela C2 URL, again prefixed with "down"
- The second compromised domain strips the prefix and sends a curl request to the Strela C2 server to fetch StarFish
- The second compromised domain acts as a relay to send the malware to the client (i.e., the victim)
Infoblox said it worked with the Shadowserver Foundation to sinkhole two of Detour Dog's C2 domains (webdmonitor[.]io and aeroarrows[.]io) on July 30 and August 6, 2025.
The company also pointed out that the threat actor likely functions as a distribution-as-a-service (DaaS) provider, adding it found evidence of an "apparently unrelated file" propagated through its infrastructure. However, it noted it "couldn't validate what was delivered."
