A sophisticated new attack vector where malicious actors are hiding malware inside DNS records, exploiting a critical blind spot in most organizations’ security infrastructure. During analysis of DNS records from 2021-2022, security researchers identified TXT records containing executable file headers across three different domains sharing identical subdomain patterns. The discovery of this attack vector underscores the critical need for DNS security solutions that can distinguish between legitimate queries and those used for malicious purposes, transforming DNS from a security blind spot into a proactive defense mechanism. This technique represents a significant evolution in malware delivery, as security solutions often overlook DNS traffic compared to the extensive monitoring of web and email communications. Recent investigations using DNSDB Scout, a passive DNS intelligence platform, have revealed that cybercriminals are partitioning malware files and storing them in DNS TXT records. DomainTools researchers discovered evidence of this technique by searching for magic file bytes in hexadecimal format using sophisticated regex patterns to identify various executable and common file types. Both files were identified as Joke Screenmate malware, a form of prank software that exhibits several disruptive behaviors, including simulating destructive actions, interfering with user control, displaying unsolicited content, and causing system performance issues. This technique transforms the Internet’s Domain Name System into an unconventional file storage system, allowing attackers to distribute malware while evading traditional detection methods. The most significant discovery involved the domain “*.felix.stf.whitetreecollective[.]com,” which contained hundreds of iterated subdomain integer values, each storing different fragments of an executable file. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Researchers found encoded stager scripts in DNS records associated with drsmitty[.]com that connect to cspg[.]pw, utilizing the default endpoint for a Covenant C2 server (/api/v1/nps/payload/stage1) to deliver next-stage payloads. The same C2 domain was identified in DNS records dating back to July 2017, suggesting this attack vector has been operational for years. Security experts emphasize that organizations must implement comprehensive DNS monitoring and filtering solutions to detect these sophisticated attacks. As cybercriminals continue to exploit trusted protocols like DNS, enterprises can no longer afford to treat DNS as a simple utility service requiring minimal security oversight. DNS tunneling and malware storage exploit a fundamental weakness in enterprise security strategies.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Jul 2025 17:30:12 +0000