Detour Dog Linked to DNS-Enabled Distribution of Strela Stealer via StarFish Backdoor

Summary of findings

Security researchers at DNS threat intelligence firm Infoblox have attributed a series of information-stealer campaigns to a threat actor tracked as “Detour Dog.” According to Infoblox, Detour Dog maintained operational control over domains that hosted the first-stage component of the malware chain — a backdoor the report identifies as StarFish — which was used to deliver Strela Stealer.

Infoblox reports it has been tracking Detour Dog since August 2023, and its analysis highlights the actor’s use of DNS-hosted infrastructure to manage early-stage distribution and control for the stealer campaign.

Background and why this matters

Information stealers like Strela Stealer are designed to exfiltrate credentials, cookies, browser data, cryptocurrency wallets, and other sensitive information from infected hosts. The theft of credentials and tokens enables downstream fraud, account takeover, and lateral movement inside victim environments.

DNS is a fundamental network service and is commonly abused for command-and-control (C2), payload distribution, and resilient infrastructure because it is ubiquitous, often under-monitored, and can be used to obscure the true location of malicious servers. When actors combine information-stealing malware with DNS-based controls, it raises detection and remediation complexity for defenders: malicious activity can blend with legitimate DNS traffic and persist as domains are rotated or re-registered.

Technical context and Infoblox’s contribution

Infoblox’s disclosure centers on three verifiable elements reported in the original analysis:

• Attribution label: The cluster of activity is attributed to an actor Infoblox calls “Detour Dog.”
• First-stage backdoor: The initial payload observed in the campaign is identified as StarFish, which serves as the entry point to deploy Strela Stealer.
• DNS infrastructure: Detour Dog retained control of domains that hosted that first-stage backdoor, indicating use of DNS-hosted or DNS-resolved resources as part of the distribution and control mechanism.

Infoblox’s role as a DNS-focused intelligence vendor provides visibility into domain registration patterns, DNS record histories, and abnormal DNS traffic — data that often reveals infrastructure reuse, domain lifecycles, and fast-flux techniques that are difficult to spot using host-only telemetry.

Expert analysis and practitioner guidance

For security teams, three practical observations follow from the Infoblox findings:

• Monitor DNS as a primary telemetry source. DNS logs and DNS query telemetry frequently reveal early indicators of compromise (e.g., unusual TXT record queries, atypical subdomain patterns, or spikes in NXDOMAIN responses). Organizations should collect DNS query logs from resolvers and forwarders and retain them for threat hunting.
• Treat first-stage loaders and dropper infrastructure as high priority. The StarFish backdoor described by Infoblox functions as the pivot point to a more capable information stealer. Detecting and disrupting first-stage delivery reduces the chance of a full data-exfiltration event.
• Combine network and endpoint defenses. Detection of DNS-based tricks requires correlated analysis: DNS telemetry to spot domain abuses, network egress controls to block malicious C2, and endpoint detection and response (EDR) to identify and contain StarFish-like behaviors and Strela Stealer artifacts if they execute.

Operational recommendations:

• Enforce egress filtering and DNS filtering at the network boundary to block known malicious domains and suspicious DNS record types used for covert channels.
• Integrate threat intelligence feeds that include DNS indicators (domains, name servers, registration patterns) and apply them to resolvers, firewalls, and proxy lists.
• Harden credentials and enable multifactor authentication (MFA) wherever possible. Since information stealers aim to harvest credentials, reducing the value of harvested credentials is a direct mitigation.
• Instrument logging and retention for DNS, proxy, and authentication systems to support retrospective investigations when malicious activity is suspected.
• Prioritize detection rules for initial access/loaders in EDR platforms, and tune anomaly detection to flag newly executed binaries that perform network reconnaissance, credential access, or browser data extraction.

Comparable cases and broader trends

Information-stealer families have been a persistent problem for years, with several high-profile families (for example, RedLine and others widely reported in security literature) operating as commodity malware sold in criminal marketplaces. Similarly, DNS abuse as a conduit for C2 and covert data transfer has been documented repeatedly: actors use DNS because it can be difficult to block without impacting legitimate services.

Two general, widely observed trends align with the Detour Dog activity:

• Operationalization of small, modular toolchains. Threat actors increasingly assemble toolchains where lightweight backdoors or loaders (first-stage components) fetch or drop more capable stealers and exfiltration modules.
• Infrastructure agility. Use of domain registrations, dynamic DNS, and DNS record manipulation allows actors to rapidly change hosts and obfuscate the relationship between campaign elements, complicating takedowns and blacklisting efforts.

Potential risks and organizational implications

The coupling of DNS-based infrastructure with information stealers creates several risk vectors for organizations:

• Credential compromise and lateral movement: Stolen credentials enable attackers to escalate privileges and move sideways in enterprise networks, potentially reaching sensitive data or administrative systems.
• Data exposure and fraud: Personal and payment data exfiltrated by stealers can lead directly to financial fraud, identity theft, and reputational damage.
• Detection gaps: If DNS is not adequately monitored or if defenders rely solely on IP- or file-based signatures, the initial stages of compromise can go unnoticed until theft is well underway.
• Supply chain and third-party risk: Malicious domains can be used to target service providers or software update mechanisms, widening exposure beyond an initially compromised workstation.

For incident responders, the presence of a first-stage backdoor such as StarFish means containment should focus on both endpoint eradication and DNS infrastructure remediation: identifying and remediating domain ownership or hijacked DNS records, blocking resolution of malicious domains at resolvers, and revoking or rotating any credentials that could have been captured.

Conclusion

Infoblox’s reporting linking Detour Dog to DNS-hosted distribution of StarFish and the Strela Stealer highlights the intersection of DNS abuse and information-stealer operations. Defenders should prioritize DNS telemetry, integrate domain-focused threat intelligence, and harden credential and endpoint controls to reduce the effectiveness of such campaigns. Early detection of first-stage loaders and aggressive containment of malicious DNS infrastructure are key to preventing the downstream data-exfiltration that makes information-stealer campaigns lucrative for adversaries.

Source: thehackernews.com