Detour Dog: Stealthy DNS Malware Campaign Hijacks 30,000+ Websites to Deliver Strela Stealer
In a complex attack chain that blends malicious advertising, DNS-based control, and multi-stage delivery schemes, researchers at Infoblox uncovered the operations of a cybercriminal group known by the alias Detour Dog. The group orchestrates infrastructure used to distribute the Strela Stealer trojan, leveraging not only botnets but also vulnerable WordPress sites and masking its activity as legitimate traffic.
The chain begins with a compromised SVG file which, when opened, reaches out to a hacked resource. That initial contact triggers a DNS TXT query to the command-and-control server, which replies with an encoded instruction containing the address from which the next-stage payload — a lightweight shell dubbed StarFish — is retrieved.
Acting as a bridge between the infected host and Strela Stealer operators, StarFish provides persistent remote access to the attackers.
Detour Dog’s infrastructure hosts the initial stages of the campaign and interfaces with several botnets, including REM Proxy and Tofsee. REM Proxy has ties to the SystemBC malware and was previously spread via compromised MikroTik routers; Tofsee was historically delivered through the PrivateLoader downloader. These networks are responsible for mass-mailing malicious emails with attachments that initiate infection.
Researchers emphasize that a defining feature of the campaign is the use of DNS TXT records to transmit control commands — a technique that obfuscates traffic and complicates detection. Malicious DNS servers under Detour Dog’s control parse specially crafted requests and return instructions capable of executing arbitrary code.
Compromised websites generally behave normally, rarely redirecting users to fraudulent pages or executing malicious code overtly. This stealthy approach reduces the likelihood of discovery and enables the attackers to maintain long-term control over their infrastructure.
Originally, Detour Dog functioned as a traffic-redirect mechanism funneling victims to fake sites and scam pages linked to the Los Pollos brand within the VexTrio ecosystem. However, since 2025 the group has pivoted to active malware distribution — likely driven by diminishing returns from its previous scheme.
Between July and August, Infoblox and the Shadowserver Foundation succeeded in neutralizing two domains used by the attackers — webdmonitor[.]io and aeroarrows[.]io — yet activity persists. Evidence also indicates that the network distributed other malware families beyond Strela Stealer, suggesting Detour Dog may be offering malware delivery as a service to third-party clients.
The entire operation is engineered to obscure the original infection vector, disperse attack components across multiple servers, and mislead analysts examining email attachments. Infected sites function as intermediary relays, passing commands and files between operator and victim, which enhances the campaign’s resilience and makes full takedown considerably more difficult.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
