Tarnkappe.infoOct 4
📬 Detour Dog und die DNS-TXT-Kommunikation – eine neue Dimension der Malware-Verteilung
#Cyberangriffe #ITSicherheit #DetourDog #HelpTDS #PoisonedDNS #StarFish #StrelaStealer #TXTRecordAbfrage #VexTrioViper https://sc.tarnkappe.info/1b20a1
Detour Dog und die DNS-TXT-Kommunikation – eine neue Dimension der Malware-Verteilung

Die Malware-Kampagne von Detour Dog ist schon lange aktiv. In Wordpress-Blogs bettete man dafür ein ausgeklügeltes JavaScript ein.

TARNKAPPE.INFO
Infoblox Threat IntelOct 1

We recently unraveled a mystery involving ~30k infected websites, DNS TXT records, and Strela Stealer #malware distribution. A threat actor who has been around since at least Feb 2020 has evolved to distribute malware through misdirection and a complex relay system, leaving defenders unsure where the actual malware is hosted.
And to top it off, we found that part of the campaigns were sent via REM proxy, another threat actor we track via DNS that leverages compromised MikroTik routers. These campaigns were spam messages targeting #german speakers with malicious .svg files.
The attachments had links pointing to the first stage of the malware -- or did it? It turns out the threat actor, which we track as Detour Dog, is playing mind games. That link actually triggers server-side DNS queries and the fun begins.
Here is the paper: https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/
More nuggets in the replies.

#malware #infostealer #dns #threatintel #cybersecurity #cybercrime #scam #helptds #tds #infosec #infoblox #strelastealer #phishing #spam #remproxy

Detour Dog: DNS Malware Powers Strela Stealer Campaigns

30k sites infected with DNS malware by Detour Dog. Now linked to Strela Stealer, StarFish backdoor, REM Proxy, and Tofsee in global spam campaigns.

Infoblox Blog
Infoblox Threat IntelSep 5, 2025

Wanna play a game?
Reboot now… or in five minutes?

Help TDS - a notorious traffic distribution system - has a fresh new illusion — a fake system alert that sets the stage before the tech support scam begins.

It’s not just a pop-up; it’s full-screen psychological priming, blurred just enough to slip past security tools. You’re given a “choice”, but either way, the curtain rises.

Click either button and the show begins: a spoofed full-screen Microsoft virus alert, and a phone number that offers an immediate fix.

The real trick? Victims are already convinced it’s real before the scam even loads.

#Infoblox #dns #phishing #tds #scam #scareware #helptds #threatintel #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #TechSupportScam #ScamAlert #DontDialTheNumber

KrebsOnSecurity RSSJun 12, 2025

Inside a Dark Adtech Empire Fed by Fake CAPTCHAs

https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/

#Ne'er-Do-WellNews #SkyForgeDigitalAG #ALittleSunshine #PartnersHouse #Doppelganger #WebFraud2.0 #AimedGlobal #ReneeBurton #TeknologySA #ByteCoreAG #smartlinks #Spamshield #LosPollos #wordpress #DollyWay #Holacode #Infoblox #TacoLoco #BroPush #GoDaddy #HelpTDS #RichAds #VexTrio #AdsPro #Qurium #RexAds

Inside a Dark Adtech Empire Fed by Fake CAPTCHAs – Krebs on Security

ITSEC NewsJun 12, 2025
Inside a Dark Adtech Empire Fed by Fake CAPTCHAs - Late last year, security researchers made a startling discovery: Kremlin-backed di... https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/ #skyforgedigitalag #neer-do-wellnews #alittlesunshine #partnershouse #doppelganger #webfraud2.0 #aimedglobal #reneeburton #teknologysa #bytecoreag #smartlinks #spamshield #lospollos #wordpress #dollyway #holacode #infoblox #tacoloco #bropush #godaddy #helptds #richads
Inside a Dark Adtech Empire Fed by Fake CAPTCHAs – Krebs on Security