How are hackers using DNS blind spots to hide and deliver malware in 2025, and what can organizations do to detect and prevent these DNS-based cyber attacks?

In 2025, cybersecurity researchers uncovered a growing trend where hackers exploit DNS blind spots to store and deliver malware using DNS TXT records. By partitioning executable files into hexadecimal chunks and embedding them across subdomains, attackers bypass traditional security tools that don't monitor DNS traffic. This technique, active since at least 2017, uses encrypted DNS protocols like DoH and DoT, further complicating detection. Organizations must now prioritize DNS monitoring, filtering, and inspection strategies as core parts of their cyber defense frameworks to combat this stealthy malware delivery method.

  Cyber Security & Ethical Hacking   Jul 18, 2025   29  Add to Reading List
How are hackers using DNS blind spots to hide and deliver malware in 2025, and what can organizations do to detect and prevent these DNS-based cyber attacks?

Table of Contents

Introduction: The Hidden World Inside DNS

Imagine receiving no suspicious email, no visible file download, and no malicious link—and yet malware sneaks into your network. That’s exactly what’s happening with a new breed of cyberattacks exploiting DNS (Domain Name System) blind spots.

DNS, which translates website names like google.com into IP addresses, has become an unexpected vector for malware storage and delivery. In 2025, security researchers uncovered sophisticated techniques where hackers hide malware inside DNS TXT records, turning internet infrastructure into a stealth malware delivery system.

What Are DNS Blind Spots?

DNS blind spots refer to areas in DNS traffic and configuration that security tools typically ignore. While organizations monitor emails, web traffic, and executables, DNS queries often go unchecked. This gap allows cybercriminals to exploit DNS as:

  • A covert file storage platform.

  • A channel for Command-and-Control (C2) communication.

  • A medium for malware delivery.

Real-World Discovery: Malware Hidden in DNS TXT Records

Using tools like DNSDB Scout, researchers found attackers storing entire executable files inside DNS TXT records. TXT records are meant to store simple domain-related text, but attackers abuse them to hide file fragments.

Example Case:

Domain: *.felix.stf.whitetreecollective[.]com

  • Hundreds of subdomains were observed.

  • Each subdomain contained a small piece of malware in hexadecimal format.

  • Researchers reassembled these fragments into fully working malware samples.

Reconstructed Malware Hashes:

SHA256 Hash Description
7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866 Joke Screenmate Malware
e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1 Joke Screenmate Malware

This malware displayed disruptive behavior such as fake warnings, blocking user controls, and causing performance degradation.

Beyond Malware Files: PowerShell Commands Hidden in DNS

Another disturbing find involved malicious PowerShell commands embedded in TXT records on domains like drsmitty[.]com.

These encoded scripts communicated with a Covenant C2 server at cspg[.]pw, using a stager script to deliver follow-up malware payloads.

  • Endpoint observed: /api/v1/nps/payload/stage1

  • Technique: No visible file download; everything happens through DNS traffic.

Why Is This Technique So Dangerous?

Most security systems focus on:

  • Email filters

  • Web traffic monitoring

  • File-based antivirus detection

But DNS queries are often treated as mere infrastructure chatter. Here's why that’s dangerous:

Factor Why It Matters
DNS Is Ubiquitous Every internet-connected system relies on it.
Often Unmonitored DNS logs aren't part of standard security tools.
Supports Encryption DoH (DNS over HTTPS) and DoT hide traffic content.
Persistent Data TXT records can store data for years.

Historical Context: This Isn’t New, But It’s Growing

  • First Observed: Similar C2 traffic techniques were identified as far back as 2017.

  • Current Trends: Research shows 90% of malware uses DNS in its kill chain.

  • Rising Encryption Use: Technologies like DNS over HTTPS (DoH) and DNS over TLS (DoT) are being abused to hide malicious DNS queries under the veil of privacy.

How DNS Tunneling Works (In Simple Terms)

Think of DNS tunneling like sending secret messages using puzzle pieces. Instead of sending one obvious, large file, the malware breaks it down:

  1. Convert File to Hexadecimal
    Malicious file gets converted into small hexadecimal chunks.

  2. Store in TXT Records
    Each chunk is placed into a TXT record across many subdomains.

  3. Reassemble Upon Retrieval
    Malware in the victim’s system queries each subdomain, collects all the pieces, and reassembles the original malicious file.

 Key Elements of DNS Malware Delivery

Element Description
Attack Methodology Partition malware into DNS TXT records
Example Domain *.felix.stf.whitetreecollective[.]com
Reassembled Malware Joke Screenmate Malware
Additional Discovery Malicious PowerShell commands linked to Covenant C2
First Detected Year 2017 (Persistence shown through ongoing discoveries)
Risk Amplification Rise of DoH and DoT encryption
Recommended Action Implement DNS monitoring, filtering, and C2 detection

How Organizations Can Defend Against DNS-Based Malware Attacks

1. Implement Comprehensive DNS Monitoring

Use tools that inspect DNS logs for anomalies like:

  • Unusual TXT record sizes.

  • Excessive subdomain queries.

  • Patterns resembling file reassembly.

2. Deploy DNS Filtering Solutions

Block known malicious domains proactively and use threat intelligence feeds focused on DNS abuse.

3. Enforce Strict DNS Security Policies

Combine DNSSEC, SPF, DKIM, and DMARC for domain security and integrity validation.

4. Monitor for Encrypted DNS Abuse

Use technologies that can detect suspicious encrypted DNS traffic patterns.

5. Educate Security Teams

Ensure IT and cybersecurity teams understand DNS attack vectors and regularly review DNS traffic.

Conclusion: Treat DNS as a Security Priority, Not an Afterthought

The revelation that attackers are storing executable files, PowerShell commands, and malware payloads inside DNS TXT records highlights a critical vulnerability in modern cybersecurity strategies.

Organizations can no longer afford to overlook DNS as just a simple background service. With 90% of malware using DNS in its lifecycle, DNS security must become a frontline defense component.

By investing in DNS monitoring, filtering, and threat hunting capabilities, businesses can close this blind spot and protect themselves against one of 2025’s most stealthy and dangerous cyber threats.

FAQ 

What does it mean when hackers use DNS blind spots to hide malware?

It means attackers store malware within DNS records, especially TXT records, exploiting the fact that many organizations don’t monitor DNS traffic for threats.

How does malware get hidden inside DNS TXT records?

Hackers convert malware into hexadecimal chunks, then store those chunks as text in DNS TXT records across subdomains. These chunks can later be reassembled.

Why is DNS considered a blind spot in cybersecurity?

Many security systems focus on emails, web traffic, or file monitoring, ignoring DNS queries, making it a blind spot attackers can exploit.

What is DNS tunneling, and how does it relate to malware delivery?

DNS tunneling uses DNS queries to secretly send and receive data, allowing malware and commands to pass through firewalls undetected.

What type of malware was found hidden in DNS records in 2025?

Researchers found Joke Screenmate malware and malicious PowerShell commands embedded in DNS TXT records.

What is the risk of encrypted DNS (DoH, DoT) in cyber attacks?

Encrypted DNS hides DNS traffic from security tools, making it harder to detect malicious queries and DNS-based malware delivery.

How long has DNS-based malware delivery been observed?

It has been operational since at least 2017, according to research from security experts.

What is DNSDB Scout, and how is it used in cybersecurity?

DNSDB Scout is a passive DNS intelligence tool used to search for abnormal or malicious DNS records globally.

What are Covenant C2 servers, and how do they relate to DNS attacks?

Covenant C2 servers control malware remotely, and attackers have hidden commands for these servers inside DNS TXT records.

Can regular antivirus detect malware hidden in DNS?

Most antivirus tools do not inspect DNS queries deeply enough to detect malware hidden in DNS records.

Why do attackers prefer using DNS TXT records?

TXT records can store arbitrary text data, are not usually inspected, and persist on DNS servers until manually removed.

How can organizations detect DNS-based malware delivery?

By deploying DNS monitoring tools that inspect TXT records and flag unusual patterns or oversized DNS queries.

Are DNS attacks part of ransomware campaigns?

Yes, some ransomware gangs use DNS to hide commands, deliver payloads, or exfiltrate stolen data covertly.

What percentage of malware uses DNS in its kill chain?

Studies show about 90% of modern malware uses DNS somewhere in its operation.

What are some real-world examples of malware using DNS blind spots?

Domains like felix.stf.whitetreecollective[.]com were found storing executable files as DNS TXT records.

How does DNS encryption complicate malware detection?

Encrypted DNS prevents security appliances from seeing the content of DNS queries, shielding malicious traffic from inspection.

What are the recommended actions for organizations to prevent DNS-based malware?

Implement DNS monitoring, filtering, encrypted DNS inspection, and block known malicious domains using threat intelligence.

What is a self-decoding JavaScript smuggling technique?

It’s a method where attackers embed obfuscated JavaScript in files or records that decode themselves when triggered in a browser or system.

What file types have been observed hidden in DNS TXT records?

Executable files like malware payloads, PowerShell scripts, and base64-encoded command strings.

Can firewalls block DNS tunneling?

Standard firewalls usually don’t block DNS tunneling unless configured with DNS inspection or specialized threat detection features.

What security controls help against DNS malware delivery?

DNS security solutions, threat intelligence feeds, content disarm and reconstruction (CDR), and deep content inspection technologies.

How do cybercriminals avoid detection when using DNS for malware?

By fragmenting payloads, using encryption, rotating domains, and ensuring queries mimic normal DNS traffic patterns.

What is a DNS kill chain in malware attacks?

It’s the sequence where malware uses DNS for command-and-control, payload delivery, and data exfiltration during an attack lifecycle.

How serious is the threat of DNS-based malware in 2025?

It is considered a major cybersecurity risk, especially with the rise of encrypted DNS traffic and advanced obfuscation techniques.

Why do organizations neglect DNS security?

DNS is often viewed as a simple utility service, so monitoring and security investments focus elsewhere, leaving DNS overlooked.

What industries are most at risk from DNS blind spot exploitation?

Any organization using large-scale IT infrastructure, especially finance, healthcare, SaaS providers, and government agencies.

What role does geofencing play in DNS-based malware delivery?

Attackers use geofencing to show benign responses to non-target regions, avoiding sandbox detections during security research.

What is a DNS TXT record, in simple terms?

It’s a type of DNS record that stores text information about a domain, which can be abused by hackers to hide data.

How can smaller businesses protect against DNS blind spot attacks?

Use DNS filtering services, monitor logs for unusual queries, and educate staff about new malware delivery methods.

Can DNS-based malware impact mobile devices?

Yes, especially if mobile apps rely on DNS queries that aren't monitored, allowing silent command-and-control communication.

Join Our Upcoming Class!

Tags