Analysis Summary

A sophisticated cyberattack technique has emerged wherein threat actors are embedding malware within DNS TXT records, leveraging DNS as a covert file storage and delivery system. This method capitalizes on a blind spot in many organizations' security frameworks, which often fail to scrutinize DNS traffic as thoroughly as web or email traffic. Investigations using DNSDB Scout revealed that attackers convert malware executables into hexadecimal, fragment them, and store the parts across sequential subdomains using DNS TXT records originally intended to store descriptive text. This technique allows malware to remain hidden and persist on the DNS infrastructure until records are removed or overwritten.

Security researchers, particularly from DomainTools, identified this tactic by scanning for hexadecimal file signatures within DNS records. A significant find was a domain *.felix.stf.whitetreecollective[.]com that hosted hundreds of subdomains, each containing a fragment of an executable. These were reassembled into complete malware files, later identified as Joke Screenmate malware. While not destructive, this software can simulate damaging actions, disrupt system performance, and interfere with user control, showcasing the potential severity of the approach.

More concerningly, researchers also discovered obfuscated PowerShell stager scripts hidden within DNS records linked to the domain drsmitty[.]com, which connected to a known Covenant C2 endpoint at cspg[.]pw. These scripts were used to retrieve next-stage payloads via the /api/v1/nps/payload/stage1 route. The presence of these records dating back to 2017 suggests the technique has been in use for several years, demonstrating the stealth and longevity of such DNS-based attacks. This underlines the necessity for historical DNS visibility in incident response and threat hunting.

DNS remains a fundamental yet undersecured component in most enterprise networks. With studies indicating that 90% of malware uses DNS in its kill chain and 95% relying on DNS for C2 communication, the rise of encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) has only compounded detection challenges. Security professionals are now calling for DNS to be elevated to a first-class citizen in cybersecurity strategies. This includes deploying DNS monitoring, behavior-based detection, and threat intelligence integration to identify anomalies. Organizations must treat DNS not just as a utility, but as a critical security vector requiring proactive defense mechanisms.

Impact

• Security Bypass
• Gain Access

Indicators of Compromise

SHA1

• 6eb1cb1d94a00daf1fb91218b050fdcba8436c03

• ba955730b00e8945d1d3cb2a025b2ba8b6692f84

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement comprehensive DNS monitoring to inspect and log all DNS traffic, identifying anomalies like unusually large TXT records or suspicious subdomains.
• Deploy DNS filtering solutions integrated with threat intelligence feeds to block known malicious domains and detect C2 communication attempts.
• Restrict the use of DNS TXT records internally unless explicitly required, and monitor for excessive size or unexpected data formats in these records.
• Configure security tools to detect and alert on fragmented or encoded payloads transmitted through DNS queries.
• Enable DNS Security Extensions (DNSSEC) to protect against DNS spoofing and ensure data integrity within DNS communications.
• Regularly update endpoint protection, firewalls, and EDR solutions to detect DNS-based malware and exfiltration techniques.
• Conduct periodic threat hunting using historical passive DNS data to uncover past misuse of domains or hidden malware artifacts.
• Train IT and security staff on emerging DNS abuse techniques to strengthen organizational awareness and incident response capabilities.