Netcrook Logo
👤 CIPHERWARDEN
🗓️ 02 Oct 2025  

DNS Detour: How ‘Detour Dog’ Hijacked 30,000 Websites (and You Never Noticed)

A shadowy cybercrime group quietly infected tens of thousands of sites, using invisible DNS tricks to spread powerful malware worldwide.

Fast Facts

  • Detour Dog, a cybercriminal group, has infected over 30,000 websites since 2020.
  • The group hijacks websites using a stealthy DNS-based technique, invisible to most visitors.
  • Strela Stealer malware, delivered via these attacks, can steal victims’ sensitive information.
  • Malicious operations spanned 89 countries, with the highest traffic from the US, Germany, and Taiwan.
  • The attacks often bypass traditional security tools, making detection challenging.

The Digital Heist Hiding in Plain Sight

Picture a bustling city, its streets seemingly safe - yet, beneath the surface, a network of silent thieves reroutes unsuspecting citizens into danger. This is the world Detour Dog has built online. Since 2020, this persistent cybercrime group has been quietly hijacking the “address books” of the internet - known as the Domain Name System, or DNS - to infect over 30,000 websites across the globe. Most visitors never see anything amiss, but for a chosen few, a single click can unleash malware that steals personal secrets in seconds.

DNS: The Secret Back Door

Detour Dog’s brilliance lies in its subtlety. Instead of defacing websites or flooding users with pop-ups, the group manipulates a hidden part of how the internet connects: DNS records, specifically something called TXT records. Think of DNS as the internet’s switchboard operator - when you type in a website, DNS tells your device where to go. By sneaking malicious commands into these records, Detour Dog quietly tells infected sites when to redirect visitors to scams or trigger malware downloads, all without leaving obvious traces.

Research by Infoblox reveals just how selective the attack is. Nine out of ten visits seem normal; only a tiny fraction - depending on your device or location - are actually targeted. This allows infected sites to remain compromised for over a year, as most people and security tools see nothing suspicious.

From Affiliate Scams to Stealing Secrets

Detour Dog’s criminal journey began with low-level scams routed through affiliate networks like Los Pollos. But in 2025, their tactics escalated. They partnered with other threat actors, such as Hive0145, to distribute a notorious information-stealing malware called Strela Stealer. This malware, delivered through a backdoor called StarFish and spread via botnets like REM Proxy and Tofsee, is designed to siphon passwords, credentials, and other sensitive data from victims’ computers.

The infrastructure is massive: at its peak, a single compromised server received over two million covert DNS requests per hour. While some of the traffic appears automated - possibly from bots or even government networks - the scale underscores how widely these infections have spread. Detour Dog controlled nearly 70% of the domains used in the attacks during the June-July 2025 campaign.

Why This Attack Matters

DNS hijacking is not new, but Detour Dog’s campaign is unusually sophisticated. Past incidents, like the infamous DNSChanger operation (disrupted by the FBI in 2011), hijacked users’ web traffic more bluntly. Detour Dog’s use of TXT records for covert signaling and rare, targeted activation is a leap forward in stealth. Their method evades most antivirus tools, making traditional website security almost useless against this kind of attack.

With much of the world’s web traffic flowing through a handful of DNS providers and hosting giants, attacks like this have broad implications. They highlight how criminal groups are innovating faster than defenders, and how the very plumbing of the internet can be weaponized.

As the digital world grows ever more complex, Detour Dog’s campaign is a stark reminder: sometimes, the most dangerous threats are the ones you never see. For now, the best defense may be vigilance at the network’s very core - watching the watchers, and questioning the invisible hands behind our daily clicks.

WIKICROOK

  • DNS Hijacking: DNS Hijacking is when attackers secretly alter DNS settings, redirecting users to fake or harmful websites without their knowledge to steal data or spread malware.
  • TXT Records: TXT Records are DNS fields for storing text data, often used for verification and email security, but sometimes abused by attackers to hide commands.
  • Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
  • Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
  • Information Stealer: An Information Stealer is malware that secretly collects personal data, like passwords or financial info, and sends it to cybercriminals.
CIPHERWARDEN CIPHERWARDEN
Cyber Encryption Architect
← Back to news