Technology

Hackers Unleash Sneaky Malware by Concealing It in DNS Records!

2025-07-16

Author: Ken Lee

In a bold new tactic, hackers are cleverly hiding malware within domain name system (DNS) records, a method that slips under the radar of many security systems. This covert operation allows harmful code to fetch binary files without raising alarms, as these activities often fly under the watchful eyes of antivirus software.

A Dangerous Game of Hide and Seek

Recently, researchers from DomainTools uncovered this devious method, where malware was found stashed away in the DNS records of the domain whitetreecollective.com. They noted that the initial file was converted into a compact hexadecimal format, encoding it using a mix of numbers and letters to obscure its presence further.

The malware chunks were then meticulously divided into hundreds of tiny pieces and tucked away in the TXT records of various subdomains. This not only camouflaged the malicious content but also took advantage of the fact that TXT records often go unchecked, as they are typically used for innocuous purposes like proving domain ownership.

The Perfect Crime?

Once a hacker gains entry into a network, they can orchestrate seemingly benign DNS requests to retrieve these pieces, reassemble them, and unleash the malicious payload. This interception is made all the easier as encrypted lookup forms, such as DNS over HTTPS (DOH) and DNS over TLS (DOT), grow more prevalent, further blurring the lines between normal and suspicious traffic.

Ian Campbell, a senior security operations engineer at DomainTools, emphasizes how even the most sophisticated organizations struggle to differentiate between regular and irregular DNS traffic. This growing trend not only complicates tracking efforts but also amplifies the risk of exploitation.

A Legacy of Deception

This isn’t the first time that DNS has been exploited—cybercriminals have been using it to host malicious PowerShell scripts for years. DomainTools has even detected similar tactics deployed in different domains. However, the recent hexadecimal encoding method is gaining notoriety as a noteworthy evolution in the hackers' playbook.

Moreover, Campbell highlighted alarming discoveries of DNS records potentially feeding harmful instructions to AI chatbots via prompt injections. By embedding toxic commands within the datasets these models analyze, hackers are finding new ways to manipulate advanced technology.

What’s Next?

As these techniques evolve, cybersecurity measures will need to adapt swiftly to counteract increasingly covert threats. Campbell poignantly concludes, "Like the rest of the Internet, DNS can be a strange and enchanting place," emphasizing the urgent need for vigilance in this digital landscape.