detour_dog

Detour Dog is a cybercriminal threat actor tracked by Infoblox, with activity traces dating back to February 2020 and active tracking since August 2023. The group has compromised tens of thousands of websites globally, including vulnerable WordPress sites, and uses DNS-based malware techniques centered on DNS TXT records for covert command-and-control, traffic redirection, and payload delivery. Their attacks operate server-side, so infected sites usually appear normal to visitors, which supports long-term persistence; reporting states compromised sites can remain infected for over a year. Infoblox reported that infected sites function normally about 90% of the time, redirect visitors to scams about 9% of the time, and receive remote file execution commands about 1% of the time, likely to reduce detection. Detour Dog is associated with infrastructure used to host StarFish, described as a simple reverse shell/backdoor that serves as a conduit for Strela Stealer. Infoblox assessed that the actor controls domains hosting the first-stage component and that at least 69% of confirmed StarFish staging hosts were under Detour Dog control. In June and July 2025, the group was observed evolving from primarily traffic redirection and scam monetization to malware distribution, specifically facilitating Strela Stealer delivery via DNS TXT records. TXT responses were reported as Base64-encoded and included the word "down" to trigger infected sites to retrieve content from Strela Stealer C2 infrastructure. Infoblox stated this was the first time the actor had been observed distributing malware rather than only forwarding traffic. The actor’s operations use compromised websites as relays to obscure hosting and complicate analysis. Infoblox reported that Detour Dog-controlled DNS name servers were modified to parse specially formatted DNS queries and respond with remote code execution commands. The group has also been linked to traffic distribution and scam redirection activity, including prior forwarding of traffic to Los Pollos under the VexTrio Viper umbrella, as well as use of Help TDS or Monetizer TDS for scam redirects. Detour Dog appears to operate in a service-based cybercriminal ecosystem. Infoblox reported that botnets including REM Proxy and Tofsee were used to distribute spam delivering Strela Stealer, while Detour Dog provided malware delivery infrastructure. Reporting also states that Strela Stealer is operated by Hive0145, with Detour Dog acting as a distributor via StarFish. Infoblox described the arrangement as contracted delivery, with botnets delivering spam and Detour Dog delivering the malware. The group’s infrastructure is described as resilient and able to recover quickly from takedown attempts. Infoblox and the Shadowserver Foundation sinkholed two Detour Dog C2 domains, webdmonitor[.]io and aeroarrows[.]io, on July 30 and August 6, 2025. A brief sinkhole of a C2 domain in August 2025 reportedly revealed about 30,000 infected hosts and spikes of more than 2 million DNS TXT requests per hour. No additional aliases or sub-groups are directly identified in the provided content.