WTF?! Security researchers and ethical hackers are uncovering new and unexpected places where malicious code can be hidden within IT infrastructure. Even the seemingly innocuous Domain Name System (DNS) – the foundational naming system for all internet-connected devices – can, in theory, be exploited by clever cybercriminals or state-sponsored attackers. This underlines a growing trend: no part of the digital stack is too mundane to become a vector for sophisticated threats.
Hiding ransomware inside a CPU was strange but now, attackers are going even deeper and broader across networks. In a recent discovery, security researchers revealed that a piece of malware had been embedded directly within the Domain Name System, effectively bypassing nearly all advanced security tools.
Prompted by earlier reports of someone hiding images in DNS records, researchers at DomainTools began scouring DNS TT records for signs of binary or non-standard data. TXT records, which can store arbitrary text and are often used to verify domain ownership, turned out to be a surprisingly effective covert channel. DT’s team found they could encode malware samples into these records by converting executable binaries into hexadecimal strings.
Digging deeper, the researchers searched for known “magic bytes” – identifiers used in various executable file headers. They found multiple instances of a familiar .exe header embedded across different subdomains belonging to the same domain, each one containing distinct TXT record values. In total, hundreds of subdomains appeared to be participating in this strange and stealthy malware distribution scheme.
DomainTools analysts suspect that the attacker broke a malicious binary file into hundreds of hexadecimal-encoded fragments, each stored in a different DNS subdomain. According to the researchers, the adversary then used a generative AI service to rapidly generate a script capable of reassembling the fragments. Once reconstructed, the binary matched two known SHA-256 hashes of Joke Screenmate, a prank malware that mimics destructive behavior and can interfere with normal system functions and user control.
But that wasn’t all. Using the same investigative technique, the team also uncovered an encoded PowerShell script embedded in DNS records. This script connected to a command-and-control server linked to the Covenant framework, a legitimate post-exploitation toolkit often repurposed by threat actors. The connection could facilitate the download of additional payloads, making it a potential component of a larger, more sophisticated attack chain.
In an email statement, DomainTools engineer Ian Campbell emphasized the growing risk of DNS-based malware delivery, especially as encryption technologies like DNS over HTTPS and DNS over TLS become more widespread.
“Unless you’re one of those firms doing your own in-network DNS resolution, you can’t even tell what the request is, no less whether it’s normal or suspicious,” Campbell said.
By leveraging these encrypted DNS protocols, cybercriminals can effectively smuggle payloads past most detection systems, making DNS an increasingly attractive vector for stealthy malware distribution.