Detour Dog Malware Evolves: Compromises Tens of Thousands of Websites for Sophisticated Attacks
A sophisticated malware campaign, tracked as Detour Dog, has evolved from a simple redirect-to-scam operation. Since August 2023, the threat actor has been actively participating in multi-stage malware delivery chains, affecting tens of thousands of websites worldwide.
The campaign uses DNS TXT records to deliver complex multi-stage payloads, turning compromised websites into proxy servers for malware distribution. Infected sites conditionally redirect visitors to malicious content based on geographic location and device type, evading detection.
Analysts identified connections between Detour Dog infrastructure and Strela Stealer operations in summer 2025, with 69% of confirmed StarFish staging hosts under Detour Dog control. Approximately 30,000 unique domains spanning 584 distinct top-level domains were found generating properly formatted DNS TXT queries to actor-controlled infrastructure. The distributed nature of the infected website network and the legitimate appearance of DNS traffic create challenges for traditional security monitoring systems.
The operation behind Detour Dog has been linked to the Hive0145 threat group, which has exploited DNS to infect over 30,000 websites globally since at least 2020. A significant evolution in capabilities was observed in spring 2025, shifting from scam redirects to distributing malware. The threat actor demonstrated resilience by quickly replacing a sinkholed domain with a new one, maintaining control of their infected website network.
The Detour Dog campaign marks a significant evolution in malware distribution methods, leveraging the Domain Name System for both command-and-control and delivery. With tens of thousands of websites affected and sophisticated evasion techniques employed, this threat highlights the need for enhanced security measures to protect against DNS-based attacks.
