Hackers hide malware using DNS TXT records
New research reveals that attackers are hiding both malware and AI prompt injection attacks in DNS records, exploiting a system that is often trusted but rarely monitored by organisations.
Hackers are increasingly exploiting DNS records to deliver malware undetected, according to new research from DomainTools.
Instead of relying on typical delivery methods such as emails or downloads, attackers now hide malicious code within DNS TXT records, part of the Domain Name System, often overlooked by security systems.
The method involves converting malware into hexadecimal code, splitting it into small segments, and storing each chunk in the TXT record of subdomains under domains like whitetreecollective.com.
Once attackers gain limited access to a network, they retrieve these chunks via ordinary-looking DNS queries, reassembling them into functioning malware without triggering antivirus or firewall alerts.
The rising use of encrypted DNS protocols like DNS-over-HTTPS and DNS-over-TLS makes detecting such queries harder, especially without in-house DNS resolvers equipped for deep inspection.
Researchers also noted that attackers are using DNS TXT records for malware and embedding harmful text designed to manipulate AI systems through prompt injection.
Ian Campbell of DomainTools warns that even organisations with strong security measures struggle to detect such DNS-based threats due to the hidden nature of the traffic.
Instead of focusing solely on traditional defences, organisations are advised to monitor DNS traffic closely, log and inspect queries through internal resolvers, and restrict DNS access to trusted sources. Educating teams on these emerging threats remains essential for maintaining robust cybersecurity.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
