Hackers Hide Malware in DNS to Evade Detection

Cybercriminals are exploiting overlooked corners of the Domain Name System (DNS) to deliver malware undetected, transforming DNS into a covert file storage mechanism. Security researchers have found that hackers hide malware in DNS records, particularly TXT records, by splitting executable files into hexadecimal fragments and storing them across subdomains. This approach bypasses traditional detection tools that often ignore DNS traffic.

Using DNSDB Scout, analysts uncovered TXT records containing file headers on domains like felix.stf.whitetreecollective[.]com. These fragments, when reassembled, formed complete malware files, including the Joke Screenmate variant known for disruptive behavior. Investigators also discovered encoded PowerShell stagers within DNS records tied to drsmitty[.]com, which connected to a Covenant C2 server for payload delivery. As hackers hide malware in DNS infrastructure, organizations must strengthen DNS visibility and apply filtering solutions to counter these stealthy threats.

For a full breakdown of the findings, read the official article at

Hackers Exploiting DNS Blind Spots to Hide and Deliver Malware