A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer.
That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish.
The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when GoDaddy-owned Sucuri disclosed details of attacks targeting WordPress sites to embed malicious JavaScript that used DNS TXT records as a communication channel for a traffic distribution system (TDS), redirecting site visitors to sketchy sites and malware. Traces of the threat actor date back to February 2020.
“While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system,” Infoblox said. “We are tracking the threat actor who controls this malware as Detour Dog.”
Detour Dog-owned infrastructure, per the company, has been used to host StarFish, a simple reverse shell that serves as a conduit for Strela Stealer. In a report published in July 2025, IBM X-Force said the backdoor is delivered by means of malicious SVG files with the goal of enabling persistent access to infected machines.
Hive0145, the threat actor exclusively behind Strela Stealer campaigns since at least 2022, is assessed to be financially motivated and is likely operating as an initial access broker (IAB), acquiring and selling access to compromised systems for profit.
Infoblox’s analysis has revealed that at least 69% of the confirmed StarFish staging hosts were under the control of Detour Dog, and that a MikroTik botnet advertised as REM Proxy – which, in turn, is powered by SystemBC, as uncovered by Lumen’s Black Lotus Labs last month — was also part of the attack chain.
Specifically, it has come to light that the spam email messages that distributed Strela Stealer originated from REM Proxy and another botnet dubbed Tofsee, the latter of which has been propagated via a C++-based loader called PrivateLoader in the past. In both cases, Detour Dog infrastructure hosted the first stage of the attack.
“The botnets were contracted to deliver the spam messages, and Detour Dog was contracted to deliver the malware,” Dr. Renée Burton, vice president of threat intelligence at Infoblox, told The Hacker News.
What’s more, Detour Dog has been found to facilitate the distribution of the stealer via DNS TXT records, with the threat actor-controlled DNS name servers modified to parse specially formatted DNS queries from the compromised sites and to respond to them with remote code execution commands.
Detour Dog’s modus operandi when it comes to acquiring new infrastructure is by exploiting vulnerable WordPress sites to perform malicious code injections, although the company said the methods have since continued to evolve.
A notable aspect of the attack is that the compromised website functions…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
