Understanding the Threat: Detour Dog and Strela Stealer
Introduction to Detour Dog
In recent cybersecurity news, a notorious threat actor termed Detour Dog has been identified as the driving force behind the distribution of an information-stealing malware called Strela Stealer. This alarming revelation comes from a report by Infoblox, a leader in DNS threat intelligence. Detour Dog has been actively controlling various domains associated with the initial stages of the malware, particularly a backdoor known as StarFish.
The Campaign Unfolds
Infoblox first started tracking Detour Dog in August 2023. They linked this threat actor to a series of attacks aimed at WordPress sites, where malicious JavaScript was embedded using DNS TXT records. This technique was utilized as part of a traffic distribution system (TDS) that redirected unsuspecting visitors to dubious websites harboring malware. However, traces of their activities can be traced back to as early as February 2020.
The situation has evolved considerably. Infoblox noted, “Initially, these redirects mainly led to scams. Recently, however, the malware has progressed to execute remote content via a DNS-based command-and-control (C2) system.” This shows an alarming shift in the strategies employed by Detour Dog, signaling their growth in sophistication.
Operational Methods
The infrastructure managed by Detour Dog has been instrumental in hosting StarFish, a straightforward reverse shell acting as a passageway for Strela Stealer. In a July 2025 report by IBM X-Force, it was revealed that the backdoor is typically delivered through malicious SVG files, designed for persistent access to infected machines.
The findings indicate that 69% of confirmed StarFish staging hosts were under Detour Dog’s control. A MikroTik botnet known as REM Proxy, which was linked to SystemBC by Lumen’s Black Lotus Labs, also played a role in the attack chain, highlighting the interconnectedness of cyber threats.
The Mechanism of Attack
Strikingly, spam emails containing the Strela Stealer were found to originate from REM Proxy and another botnet called Tofsee, with the latter distributed using a C++-based loader named PrivateLoader. Infoblox’s investigation revealed that Detour Dog’s infrastructure hosted the initial phase of these attacks, essentially acting as a facilitator for malware distribution. Dr. Renée Burton, vice president of threat intelligence at Infoblox, remarked, “The botnets were contracted to deliver the spam messages, and Detour Dog was responsible for the malware.”
DNS-Based Distribution
Moreover, Detour Dog capitalizes on DNS TXT records to spread its malware. The threat actor modifies DNS name servers to interpret specially formatted DNS queries from the compromised sites, responding with commands for remote code execution.
Notably, Detour Dog first exploits vulnerable WordPress sites to inject malicious code. What’s particularly concerning is that these compromised websites typically seem to function normally about 90% of the time. This camouflaging tactic allows the malware to persist undetected for extended periods. Only around 9% of visitors were redirected to scams, while a mere 1% faced remote file execution commands. This careful control is likely a strategy to avoid detection by cybersecurity professionals.
A Shift in Tactics
This incident marks a significant shift for Detour Dog, as they transition from primarily distributing scams to engaging in malware distribution for financial gain. Burton highlighted, “There has been a great deal of focus in the security industry over the last 12-18 months to stop the type of scams Detour Dog has supported in the past. We believe they were making less money, though we can’t verify that.”
The malware has also evolved, indicating the ability to command infected websites to run code from remote servers. By June 2025, responses from infected sites were directing them to retrieve outputs from PHP scripts located on verified Strela Stealer C2 servers, enhancing the distribution method.
The Sequence of Operations
The operational flow of this malware distribution can be summarized as follows:
- A victim opens a malicious document that launches an SVG file targeting an infected domain.
- The compromised site sends a TXT record request to Detour Dog’s C2 server via DNS.
- The name server responds with a TXT record containing a Strela C2 URL prefixed with “down.”
- The compromised site strips the prefix and fetches the StarFish downloader from the URL.
- The site functions as a relay to send the downloader to the victim.
- The downloader then initiates communication with another compromised domain for further instructions.
Conclusion of Findings
On July 30 and August 6, 2025, Infoblox collaborated with the Shadowserver Foundation to sinkhole two of Detour Dog’s C2 domains: webdmonitor[.]io and aeroarrows[.]io. Their analysis suggests that Detour Dog may also be operating as a distribution-as-a-service (DaaS) provider, aiding other cybercriminal operations. While the investigation is ongoing, the tactics employed by Detour Dog reflect a worrying trend in the cyber threat landscape, demanding vigilant monitoring and response strategies.
