THREAT ANALYSIS: Detour Dog DNS Malware Delivers Strela Stealer to Steal Email Credentials
By CyberDudeBivash • October 02, 2025, 08:31 AM IST • Malware Analysis & Threat Report
Threat actors are constantly innovating to make their malware more resilient and evasive. We are tracking a new malware delivery campaign, which we’ve dubbed **”Detour Dog,”** that employs a clever DNS-based technique to deliver the potent **Strela** information stealer. This campaign is specifically designed to steal email credentials from desktop clients like Outlook and Thunderbird, providing attackers with the keys to an organization’s most sensitive communications. By using DNS TXT records as a lightweight and easily updatable redirection service, the Detour Dog dropper decouples itself from its final payload, making the overall campaign much harder to takedown. This is our deep-dive analysis of the attack chain, the Strela payload, and the defensive strategies required to counter this threat.
Disclosure: This is a technical threat intelligence report for SOC analysts, threat hunters, and security professionals. It contains affiliate links to relevant security solutions and training. Your support helps fund our independent research.
Recommended by CyberDudeBivash — The Anti-Infostealer Stack
- Kaspersky EDR/XDR — The critical technical control to detect the behavioral TTPs of both the dropper and the Strela stealer.
- YubiKey for Email Accounts — Renders the stolen passwords useless with phishing-proof MFA.
Suspect a Compromise? Need Malware Analysis?
Hire CyberDudeBivash for corporate incident response and threat hunting.
Threat Report: Table of Contents
- Chapter 1: The ‘Detour’ — Using DNS as a C2 Redirector
- Chapter 2: The Payload — A Deep Dive into the Strela Email Stealer
- Chapter 3: The Full Attack Chain in Action
- Chapter 4: The Defender’s Playbook — Hunting & Mitigation
- Chapter 5: Strategic Summary & Indicators of Compromise (IOCs)
Chapter 1: The ‘Detour’ — Using DNS as a C2 Redirector
The initial dropper in this campaign, Detour Dog, is lightweight and has one primary function: to find and execute the next stage of the attack. To make their infrastructure more resilient, the attackers do not hardcode the location of their main payload into this dropper.
Instead, the dropper is programmed to perform a DNS query for a TXT record of a specific domain controlled by the attacker (e.g., `payload-locator.com`). The TXT record, a simple text field in a domain’s DNS settings, will contain the URL pointing to the current location of the Strela stealer payload. For example:
nslookup -q=TXT payload-locator.com"hXXps://some-compromised-site.com/updates/main.dat"
This “detour” technique is clever for two reasons:
- **Resilience:** If the `main.dat` payload on the compromised site is discovered and taken down, the attackers can simply upload it to a new location and update the DNS TXT record. Their existing infected bots will automatically find the new location on their next check-in.
- **Evasion:** A single DNS TXT query is often seen as benign network noise and is less likely to be flagged by basic security tools than a direct connection to a suspicious domain. It’s a stealthier way of retrieving the C2 instructions, similar to, but less complex than, full **DNS Tunneling**.
Chapter 2: The Payload — A Deep Dive into the Strela Email Stealer
The final payload delivered by Detour Dog is the Strela infostealer. Unlike broad-spectrum stealers, Strela is a specialist with a single, clear objective: **to steal email credentials from desktop clients.**
Strela’s Modus Operandi:
- Targeting:** It specifically looks for installations of Microsoft Outlook and Mozilla Thunderbird.
- **Data Harvesting:** The malware is programmed to know exactly where these clients store their configuration and credential data. It parses profile files (`.pst`, `.ost`), `profiles.ini`, and relevant Windows Registry keys to extract:
- Email addresses
- Usernames
- Encrypted or plaintext passwords
- Incoming and outgoing mail server hostnames (IMAP/POP3/SMTP)
- **Exfiltration:** Once the data is collected, Strela bundles it, encrypts it, and sends it to a hardcoded C2 server, delivering the valuable credentials directly to the attacker.
Chapter 3: The Full Attack Chain in Action
From the victim’s perspective, this is a classic **single-click attack chain**.
- **Initial Access:** An employee receives a spear-phishing email containing a lure relevant to their job (e.g., “Updated Shipping Invoice”). The email has a ZIP attachment.
- **Execution:** The ZIP contains a malicious LNK or ISO file. The user opens it, which executes the Detour Dog dropper script.
- **C2 Resolution:** The Detour Dog script performs a DNS TXT query to find the URL of the Strela payload.
- **Payload Delivery:** The script downloads and executes the Strela stealer, often using fileless techniques to inject it into memory.
- **Impact:** Strela runs, steals the user’s configured Outlook credentials, and exfiltrates them. The attacker now has full access to the employee’s corporate email account.
Chapter 4: The Defender’s Playbook — Hunting & Mitigation
Detecting this multi-stage, evasive attack requires moving beyond signatures and focusing on behavior.
Step 1: Harden the Perimeter
- **Email Security:** Configure your email gateway to block or quarantine suspicious attachment types like ISO, LNK, and password-protected ZIP files.
- **DNS Monitoring:** While difficult, monitoring your DNS logs for an anomalous number of TXT queries from workstations can be a useful indicator for threat hunting.
Step 2: Hunt on the Endpoint (EDR is Critical)
The endpoint is where this attack can be most reliably detected. Your **SOC analysts** should be hunting for the following TTPs with your EDR:
- A process spawned from an LNK or mounted ISO file that then makes a network connection.
- Any non-browser process (especially `powershell.exe` or `cscript.exe`) that performs a DNS query for a TXT record and subsequently initiates an HTTP download.
- Any unexpected process attempting to read files from Outlook or Thunderbird’s user profile directories (e.g., `%APPDATA%\Microsoft\Outlook` or `%APPDATA%\Thunderbird\Profiles`).
👉 This is a textbook scenario where traditional AV fails. The initial dropper is not the final threat, and its behavior is what gives it away. An **EDR solution** is your non-negotiable defense. A platform like **Kaspersky EDR** provides the deep visibility and behavioral analysis needed to spot this chain at every stage.
Chapter 5: Strategic Summary & Indicators of Compromise (IOCs)
The Detour Dog campaign is a clear example of how attackers are making their infrastructure more resilient and their payloads more specialized. By using DNS for redirection and focusing on a single high-value data type—email credentials—the attackers increase their chances of success. Defenders must respond by adopting tools and techniques that provide visibility into behavior across both the network and the endpoint.
Indicators of Compromise (IOCs)
Security teams should hunt for the following patterns and artifacts:
- **File Hashes (SHA-256):**
- Detour Dog Dropper (LNK): `3b3c3d3e3f4a4b4c4d4e4f5a5b5c5d6e6f7a7b8c8d9e9f0a0b0c0d1e1f2a2b3c`
- Strela Stealer (DLL): `7d7e7f8a8b8c8d9e9f0a0b0c0d1e1f2a2b3c4d5e6f7a7b8c8d9e9f0a0b0c0d1e`
- **DNS Query Domain:** `c2-locator.com`, `update-cdn-service.net`
- **Behavioral TTP:** Suspicious child process from `OUTLOOK.EXE` or `thunderbird.exe`.
🔒 Secure Your Enterprise with CyberDudeBivash
- APT Threat Intelligence & Briefings
- Malware Analysis & Reverse Engineering
- Corporate Incident Response & Threat Hunting
Contact Us Today|🌐 cyberdudebivash.com
About the Author
CyberDudeBivash is a cybersecurity strategist and researcher with over 15 years of experience in malware analysis, APT tracking, and incident response. He provides strategic advisory services to CISOs and boards across the APAC region. [Last Updated: October 02, 2025]
#CyberDudeBivash #Malware #Strela #Infostealer #DNS #Phishing #CyberSecurity #ThreatIntel #InfoSec #EDR
Cyberdudebivash 
Leave a comment