Detour Dog Operating DNS-Based Malware Production Facility for Strela Stealer

A threat actor known as Detour Dog has been identified as the driving force behind campaigns distributing an information stealer called Strela Stealer. Findings from Infoblox reveal that Detour Dog maintains control over domains that host the initial stage of the stealer, a backdoor named StarFish. Infoblox has been monitoring Detour Dog since August 2023, following disclosures from GoDaddy-owned Sucuri regarding attacks on WordPress sites. These attacks involved embedding malicious JavaScript that utilised DNS TXT records as a communication channel for a traffic distribution system (TDS), redirecting visitors to dubious sites and malware. Traces of Detour Dog’s activities date back to February 2020.

The malware has evolved to execute remote content through a DNS-based command-and-control (C2) system. Detour Dog’s infrastructure has been used to host StarFish, which acts as a reverse shell facilitating access for Strela Stealer. A report from IBM X-Force indicates that the backdoor is delivered via malicious SVG files, allowing persistent access to infected machines. The threat actor Hive0145 has been linked exclusively to Strela Stealer campaigns since at least 2022 and is believed to operate as an initial access broker (IAB), profiting from compromised systems. Infoblox’s analysis shows that at least 69% of confirmed StarFish staging hosts are under Detour Dog’s control, with botnets like REM Proxy and Tofsee playing roles in the attack chain.