Hackers are now exploiting the Domain Name System (DNS)—a core part of the internet—to carry out stealthy cyberattacks. Known as DNS-based malware attacks, this method hides malicious payloads inside DNS TXT records, bypassing conventional cybersecurity systems.
Recent findings from security researchers at DomainTools reveal that attackers are embedding encoded malware into the DNS infrastructure, an area that is rarely scrutinized by most organizations.
How DNS-Based Malware Attacks Work
The malware is initially transformed from binary into hexadecimal code, splitting it into smaller segments. Each segment is then embedded in a TXT record under a unique subdomain—for example, under domains like whitetreecollective[.]com.
Attackers who gain partial access to a target network can send ordinary-looking DNS queries to retrieve these segments. Once collected, the segments are reconstructed into fully functional malware—without alerting firewalls, antivirus tools, or email filters.
What makes these DNS-based malware attacks especially dangerous is that DNS traffic is generally trusted and overlooked. This allows malicious data to slip through undetected.
Encryption Makes DNS-Based Malware Attacks Harder to Detect
Modern DNS encryption protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are designed to enhance privacy. However, they also make detection of DNS-based malware attacks far more difficult.
Because these encrypted protocols conceal the contents of DNS queries, even advanced cybersecurity tools struggle to see what’s being requested or returned. Without full control over DNS resolvers and deep packet inspection, many threats pass through unnoticed.
Ian Campbell, senior security operations engineer at DomainTools, notes that even well-resourced security teams have a hard time identifying such DNS threats.
Alarmingly, this technique is not limited to malware. Researchers also found attackers using DNS TXT records to inject harmful prompts into AI systems, tricking them into executing unintended commands.
Defending Against these Attacks
To protect systems against DNS-based malware attacks, cybersecurity teams should adopt a proactive and layered strategy:
- Monitor DNS traffic regularly, especially for excessive TXT record queries or unknown subdomains.
- Use internal DNS resolvers with detailed logging and inspection capabilities.
- Implement DNS firewalls that block unusual patterns, such as long or suspicious TXT records.
- Restrict outbound DNS traffic to trusted resolvers only.
- Train IT teams on emerging DNS threats, including malware delivery and AI prompt injection.
Read Also:Google Patches Critical Chrome Zero‑Day Vulnerability
