Cybercriminals have found a clever new method of delivering malware—by exploiting one of the internet’s most trusted systems: the Domain Name System (DNS). According to a new report by DomainTools, attackers are now using DNS records to sneak in malware, bypassing firewalls, antivirus software, and email filters with ease.
The technique leverages TXT records, a legitimate but rarely monitored part of DNS, to encode and distribute malicious payloads discreetly. The rise of encrypted DNS protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) only complicates detection further.
How DNS TXT Records Are Being Weaponized
The attack begins when the malware is converted into hexadecimal format, transforming the binary data into readable strings of letters and numbers. These strings are then split into hundreds of chunks, each placed into the TXT record of a separate subdomain under a domain such as whitetreecollective[.]com.
Once a hacker gains limited access to a target’s network, they execute seemingly innocent DNS queries to collect the chunks piece by piece. These are later reassembled and decoded into a fully functional malware strain—without triggering any security alerts.
The malware in question includes samples like Joke Screenmate, a payload known for stealth and persistence. What makes this method dangerous is its reliance on a commonly trusted, yet poorly monitored protocol.
Encrypted DNS Makes Detection Harder
While DNS encryption via DoH and DoT is great for user privacy, it also blinds network security tools. Unless an organization operates its own DNS resolvers with deep packet inspection, it becomes extremely difficult to see or block these stealthy DNS requests.
Ian Campbell, Senior Security Operations Engineer at DomainTools, warns that “even well-equipped organizations struggle to identify malicious DNS activity due to the opaque nature of encrypted requests.”
This blind spot is now being exploited not only for malware delivery but also for prompt injection attacks—where TXT records are loaded with dangerous AI commands to manipulate chatbots and language models.
How to Protect Against DNS-Based Malware
Cybersecurity teams must now rethink DNS as a potential attack vector. Here’s how to defend against these stealthy threats:
1. Monitor DNS Traffic Proactively
- Watch for unusual patterns like excessive TXT lookups or frequent subdomain queries.
- Alert on DNS queries that seem programmatic or suspicious.
2. Use Internal DNS Resolvers
- Set up logging and inspection for internal DNS servers.
- Retain query history for forensic analysis.
3. Deploy DNS Firewalls
- Use DNS-based security tools to detect abnormal record lengths, query frequency, or anomalies in DNS behavior.
- Block requests to known malicious domains or questionable public DNS resolvers.
4. Restrict External DNS Access
- Only allow outbound DNS to trusted resolvers.
- Block rogue DNS traffic attempting to bypass corporate controls.
5. Raise Awareness Across Teams
- Train security staff to recognize DNS-layer attacks.
- Educate developers and AI teams on prompt injection vectors via DNS TXT records.
Conclusion
The use of DNS records to sneak in malware is a stark reminder that even foundational internet systems can be abused. By encoding malicious payloads in DNS TXT records and hiding behind encrypted protocols, attackers are slipping past traditional defenses unnoticed.
Organizations must adopt a DNS-aware security posture, implementing modern tools, traffic visibility, and user education to mitigate this emerging threat.
