Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Strela Stealer distributed through Detour Dog DNS-based delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

Strela Stealer is being delivered through a Detour Dog-controlled DNS TXT record chain that uses compromised websites and staged hosts, expanding the malware's reach and hiding the real delivery source. The chain routes payload staging through StarFish, a reverse shell conduit, and relies on WordPress site compromise plus relay behavior to push the stealer to victims.

Related Happenings

Detour Dog alliance reshapes ransomware ecosystem operations

Threat Actor Meta
First: 03.10.2025 21:11 Last: 03.10.2025 21:11 Sources 1

How related: The development marks the first time Detour Dog has been spotted distributing malware, a shift from acting as an entity responsible for exclusively forwarding traffic to Los Pollos, a malicious advertising technology company operating under the VexTrio Viper umbrella.

About this happening: **Detour Dog** has shifted from **traffic forwarding** into **malware distribution**, expanding its role in the **Strela Stealer** delivery chain and increasing the reach of its i...

Open Happening

Vane Viper / Omnatuor malicious adtech ecosystem powering malvertising and ad fraud

Threat Actor Meta
First: 25.09.2025 20:22 Last: 25.09.2025 20:22 Sources 1

About this happening: Researchers **outed Vane Viper / Omnatuor** as a **malicious adtech** ecosystem that has powered **malvertising**, **ad fraud**, and **traffic brokering** for **at least a decade*...

Open Happening

Timeline

  1. 03.10.2025 21:11 1 articles · 7mo ago

    Infoblox and Shadowserver sinkhole webdmonitor[.]io

    Mitigation Patch Update

    Infoblox and the Shadowserver Foundation sinkholed the Detour Dog C2 domain webdmonitor[.]io on July 30, 2025, disrupting one of the DNS infrastructure nodes used in the Strela Stealer delivery chain.

    Show sources
    Open in new tab
  2. 03.10.2025 21:11 1 articles · 7mo ago

    Infoblox and Shadowserver sinkhole aeroarrows[.]io

    Mitigation Patch Update

    Infoblox and the Shadowserver Foundation sinkholed the Detour Dog C2 domain aeroarrows[.]io on August 6, 2025, removing another infrastructure node used to support the DNS-powered Strela Stealer campaign.

    Show sources
    Open in new tab
  3. 03.10.2025 21:11 2 articles · 7mo ago

    Infoblox links Detour Dog to Strela Stealer delivery through StarFish and DNS TXT records

    Initial Disclosure

    Infoblox links Detour Dog to a DNS-based Strela Stealer delivery chain that uses compromised WordPress sites, StarFish staging hosts, DNS TXT records, REM Proxy, and Tofsee to relay payloads while hiding the real malware source. The analysis says the actor has been tracked since August 2023, with traces dating back to February 2020 and a June 2025 shift toward retrieving PHP script output from verified Strela Stealer C2 servers.

    Show sources
    Open in new tab