Threat actors found distributing malware via DNS

Attackers are abusing the domain name system (DNS) to store and distribute malware, potentially creating blind spots for defenders, security researchers say.

It turns out that files can be stored in domain name system (DNS) TXT records, security vendor DomainTools reported.

As the name implies, TXT records allow domain owners to store text information for different purposes, such as for for email security and authentication, and verification of ownership, which can then be retrieved from the public DNS globally.

By querying the DNS and reassembling the TXT records retrieved that contain partitioned and encoded files, attackers can store malware persistently and access it as needed.

DomainTools' researchers looked for executable and common file patterns encoded into TXT records, and found one malware from that was an older prank software called Joke Screenmate.

Another researcher said he spotted credentials exfiltration in a DNS request:

I caught something subtle in a network capture, a DNS request that looked normal until I decoded the subdomain. It revealed Base64-encoded credentials being smuggled out: username=backup.admin, password=Gx#7kB!93vP@s*L0p&2F.

I triggered the exact same DNS query using dig from… pic.twitter.com/NIm99OENI9

— Winston Ighodaro (@Officialwhyte22) July 15, 2025

The technique of abusing DNS for malicious purposes isn't new, Liam O'Shannessy, the executive director of security, testing and assurance at CyberCX Victoria/Tasmania told iTNews.

"The storage of malware in DNS TXT [records] fills a unique niche as an attack technique," O'Shannessy said.

Using DNS for command and control (C2), including the distribution of malware payloads, is relatively well understood by both attackers and defenders, O'Shannessy explained.

"The use of this technique by attackers is uncommon, because for a lot of organisations, it stands out to defenders who can use it as a strong signal that something is going wrong with their networks."

Nevertheless, anomalous DNS traffic can be missed, CyberCX has found.

"In our penetration tests and Red Team activities, we regularly observe organisations for whom DNS traffic is a 'blind spot' in their detection and response capabilities," O'Shannessy said.

"For attacks against those organisations, DNS-based C2 can be an effective technique for attackers, in particular in situations where other types of outbound network access from internal networks to the Internet are blocked," he added.

O'Shannessy said the research published this week is a reminder to defenders to ensuer that they monitor DNS-based traffic forms, as an important part of their capabilities.