Hackers are increasingly turning to one of the internet’s most trusted and overlooked systems to deliver malware: DNS, the Domain Name System.
Researchers at DomainTools recently discovered that attackers are using DNS TXT records to hide malicious code, taking advantage of this often-overlooked channel to bypass traditional security measures like antivirus software, email filters, and firewalls.
The malware involved, including a strain called Joke Screenmate, is encoded in such a way that it can be quietly smuggled into a network without raising any red flags.
How the Attack Works
The malware is first converted from binary into hexadecimal, essentially translating the file into a string of numbers and letters. This hex code is then broken into hundreds of small chunks.
Each part is placed in the TXT record of a separate subdomain under a domain like whitetreecollective[.]com.
Once an attacker gains even limited access to a network, they can send seemingly normal DNS queries to pull these chunks back one by one. The chunks are then reassembled and decoded back into a functional piece of malware, all without triggering common security alerts.
The brilliance of this approach is its use of a commonly trusted and poorly monitored protocol. The situation is worsened by the growing adoption of encrypted DNS protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which protect user privacy by encrypting DNS requests.
However, this same encryption also shields malicious queries from security tools, making detection even harder unless the organization manages its own DNS resolvers with deep packet inspection capabilities.
Ian Campbell, senior security operations engineer at DomainTools, explained that even well-equipped organizations struggle to identify malicious DNS activity. Since the content of DNS requests is often hidden, many threats go undetected.
In addition to malware, researchers also discovered that attackers are using DNS TXT records to store harmful prompt injection text, crafted to manipulate AI chatbots and language models into performing unauthorized or unintended tasks.
How to Defend Yourself Against DNS-Based Attacks
To stay ahead of these advanced tactics, security teams must rethink their approach to DNS. Here are a few steps organizations can take:
- Monitor DNS traffic regularly, especially for unusual subdomain lookups or large volumes of TXT record requests.
- Use internal DNS resolvers with logging and inspection capabilities to retain visibility into queries.
- Deploy DNS firewalls or security tools that can detect and block suspicious patterns, like unusually long TXT records.
- Limit external DNS access by restricting outbound DNS queries to known, trusted resolvers.
- Educate teams on emerging threats, including DNS-based malware delivery and AI prompt injection exploits.
