CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Detour Dog Facilitates Strela Stealer Distribution via DNS-Powered Malware Factory

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Detour Dog, a threat actor, has been identified as facilitating the distribution of Strela Stealer, an information stealer malware. The actor controls domains hosting the first stage of the stealer, a backdoor called StarFish, and uses DNS TXT records for command-and-control (C2) communications. Detour Dog has been active since at least February 2020, initially focusing on redirecting site visitors to malicious sites and scams. The actor has evolved to use DNS-based C2 systems to execute remote content and distribute malware. Detour Dog's infrastructure has been used to host StarFish, which serves as a conduit for Strela Stealer. The actor is believed to be financially motivated and operates as an initial access broker (IAB), acquiring and selling access to compromised systems. Detour Dog's operations involve exploiting vulnerable WordPress sites for malicious code injections and using botnets like REM Proxy and Tofsee to distribute spam emails containing Strela Stealer. The actor's methods have evolved to include the execution of remote code from compromised websites, making their operations more resilient and harder to detect.

Timeline

  1. 03.10.2025 21:11 1 articles · 4h ago

    Detour Dog Linked to Strela Stealer Distribution via DNS-Powered Malware Factory

    Detour Dog, a threat actor, has been identified as facilitating the distribution of Strela Stealer, an information stealer malware. The actor controls domains hosting the first stage of the stealer, a backdoor called StarFish, and uses DNS TXT records for command-and-control (C2) communications. Detour Dog has been active since at least February 2020, initially focusing on redirecting site visitors to malicious sites and scams. The actor has evolved to use DNS-based C2 systems to execute remote content and distribute malware. Detour Dog's infrastructure has been used to host StarFish, which serves as a conduit for Strela Stealer. The actor is believed to be financially motivated and operates as an initial access broker (IAB), acquiring and selling access to compromised systems. Detour Dog's operations involve exploiting vulnerable WordPress sites for malicious code injections and using botnets like REM Proxy and Tofsee to distribute spam emails containing Strela Stealer. The actor's methods have evolved to include the execution of remote code from compromised websites, making their operations more resilient and harder to detect.

    Show sources

Information Snippets