New DNS Malware 'Detour Dog' Uses TXT Records to Deliver Strela Stealer

Detour Dog, a stealthy website malware campaign tracked since August 2023, has evolved from redirecting victims to tech-support scams into a sophisticated DNS-based command-and-control (C2) distribution system that delivers the Strela Stealer information stealer via DNS TXT records.

Tens of thousands of compromised websites worldwide make server-side DNS requests that are invisible to visitors, enabling conditional redirections and remote code execution.

Originally, Detour Dog-controlled name servers directed infected sites to scam landing pages like Los Pollos and Help TDS.

In late November 2024, redirects shifted from Los Pollos to Help TDS and Monetizer TDS affiliate networks, but the outcome—fraudulent traffic monetization—remained the same.

Starting spring 2025, a new capability appeared: name servers began responding to specially formatted DNS TXT queries with Base64-encoded “down” commands, instructing the compromised sites to fetch and execute PHP scripts from remote C2 servers. This marks the first time Detour Dog ...