Hackers Exploit DNS Records to Hide Malware, Evade Defenses

Cybercriminals are increasingly exploiting the Domain Name System (DNS) to hide and deliver malware, leveraging its trusted but often overlooked infrastructure to bypass traditional security measures. Researchers at DomainTools and others have discovered that attackers encode malware, such as the Joke Screenmate strain, into hexadecimal chunks stored in DNS TXT records across subdomains, which can then be retrieved and reassembled via seemingly normal DNS queries without triggering alerts. This technique is further complicated by the adoption of encrypted DNS protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which shield malicious DNS traffic from security monitoring tools. Attackers also use DNS tunneling to conduct command-and-control operations and data exfiltration by encoding instructions and stolen data within various DNS record types, including A, AAAA, TXT, and CNAME records. These methods enable malware communication to blend in with legitimate DNS traffic, making detection difficult even for organizations with internal DNS resolvers and advanced security setups. The misuse of DNS in this way represents a new frontier for cyber threats, with implications extending to malware delivery, AI-related prompt injections, and stealthy command execution.