Detour Dog Facilitates Strela Stealer Distribution via DNS-Powered Malware Factory
Summary
Hide ▲
Show ▼
Detour Dog, a threat actor, has been identified as facilitating the distribution of Strela Stealer, an information stealer malware. The actor controls domains hosting the first stage of the stealer, a backdoor called StarFish, and uses DNS TXT records for command-and-control (C2) communications. Detour Dog has been active since at least February 2020, initially focusing on redirecting site visitors to malicious sites and scams. The actor has evolved to use DNS-based C2 systems to execute remote content and distribute malware. Detour Dog's infrastructure has been used to host StarFish, which serves as a conduit for Strela Stealer. The actor is believed to be financially motivated and operates as an initial access broker (IAB), acquiring and selling access to compromised systems. Detour Dog's operations involve exploiting vulnerable WordPress sites for malicious code injections and using botnets like REM Proxy and Tofsee to distribute spam emails containing Strela Stealer. The actor's methods have evolved to include the execution of remote code from compromised websites, making their operations more resilient and harder to detect.
Timeline
-
03.10.2025 21:11 1 articles · 4h ago
Detour Dog Linked to Strela Stealer Distribution via DNS-Powered Malware Factory
Detour Dog, a threat actor, has been identified as facilitating the distribution of Strela Stealer, an information stealer malware. The actor controls domains hosting the first stage of the stealer, a backdoor called StarFish, and uses DNS TXT records for command-and-control (C2) communications. Detour Dog has been active since at least February 2020, initially focusing on redirecting site visitors to malicious sites and scams. The actor has evolved to use DNS-based C2 systems to execute remote content and distribute malware. Detour Dog's infrastructure has been used to host StarFish, which serves as a conduit for Strela Stealer. The actor is believed to be financially motivated and operates as an initial access broker (IAB), acquiring and selling access to compromised systems. Detour Dog's operations involve exploiting vulnerable WordPress sites for malicious code injections and using botnets like REM Proxy and Tofsee to distribute spam emails containing Strela Stealer. The actor's methods have evolved to include the execution of remote code from compromised websites, making their operations more resilient and harder to detect.
Show sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
Information Snippets
-
Detour Dog has been active since at least February 2020, initially focusing on redirecting site visitors to malicious sites and scams.
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
-
Detour Dog controls domains hosting the first stage of Strela Stealer, a backdoor called StarFish.
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
-
The actor uses DNS TXT records for command-and-control (C2) communications.
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
-
Detour Dog's infrastructure has been used to host StarFish, which serves as a conduit for Strela Stealer.
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
-
The actor is believed to be financially motivated and operates as an initial access broker (IAB).
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
-
Detour Dog's operations involve exploiting vulnerable WordPress sites for malicious code injections.
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
-
The actor uses botnets like REM Proxy and Tofsee to distribute spam emails containing Strela Stealer.
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11
-
Detour Dog's methods have evolved to include the execution of remote code from compromised websites.
First reported: 03.10.2025 21:111 source, 1 articleShow sources
- Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer — thehackernews.com — 03.10.2025 21:11