Hackers Embed Malware in DNS TXT Records

DNS: An Unconventional Malware Storage Medium

Security researchers have uncovered a sophisticated technique in which attackers convert the Internet’s ubiquitous Domain Name System (DNS) into a covert file storage and distribution network. By embedding hex-encoded malware fragments inside DNS TXT records, adversaries can deliver payloads without raising alarms in email gateways or web proxies.

Detailed Anatomy of the Attack Technique

1. Binary-to-Hexadecimal Encoding

First, a malicious binary (for example, the nuisance strain known as Joke Screenmate) is converted from its native executable format into a continuous hexadecimal string. Hex encoding leverages the characters 0–9 and A–F to represent each byte, reducing non-printable binary data into plain text.

2. Chunking and TXT Record Embedding

The hex string is then segmented into hundreds of 63-character chunks (conforming to DNS label limits). Each chunk becomes the value of a separate TXT record under unique subdomains of a controlled domain (e.g., chunk001.whitetreecollective[.]com, chunk002.whitetreecollective[.]com, etc.).

Typical DNS TXT records can carry up to 255 bytes per string, and with EDNS0 extensions, UDP payloads can reach 4 KB—enough to store sizeable portions of a malware binary. By distributing fragments across many records, attackers avoid single large allocations that might trigger DNS inspection thresholds.

Reassembly and Execution

Once inside a compromised network, a small bootstrap loader issues regular DNS queries to each subdomain. Using standard UDP or encrypted channels—DNS over HTTPS (DoH) and DNS over TLS (DoT)—the loader retrieves each TXT record, concatenates the fragments, converts the hex back into binary, and executes the payload in memory.

“Even sophisticated organizations with in-network resolvers struggle to distinguish benign DNS lookups from malicious ones,” says Ian Campbell, Senior Security Operations Engineer at DomainTools. “The rise of DoH and DoT only obscures the traffic further.”

Evolution of DNS Exploitation and Current Trends

DNS has long been abused as a command-and-control (C2) channel by campaigns like DNSpionage and SilentBreak. In 2021, researchers noted PowerShell scripts hosted within TXT records—an approach now extended to full binaries via hex encoding. More recently, DomainTools identified prompt-injection payloads for AI chatbots hidden in TXT entries, aiming to subvert large language models with malicious instructions.

Detection Strategies and Mitigation Best Practices

• Implement internal DNS resolvers to inspect queries before encryption.
  Use split-tunnel architectures to block unapproved external DoH/DoT servers.
• Deploy DNS anomaly detection tools leveraging machine learning and eBPF for real-time traffic analysis.
• Enforce DNSSEC and DMARC to validate record authenticity and reduce spoofing risks.
• Continuously monitor TXT record growth rates and unusual subdomain patterns with SIEM integration.

Expert Commentary

“DNS is the lifeblood of the Internet but paradoxically remains one of its weakest security links,” observes Bruce Schneier, security technologist and author. “As encryption spreads, defenders must adapt or blind spots will widen.”

Adapting to Encrypted DNS: Challenges and Opportunities

Adoption of DoH and DoT by major providers (Cloudflare, Google, Mozilla) encrypts DNS queries end-to-end, thwarting traditional DPI tools. However, deploying in-network resolvers alongside strict allow-lists for DoH endpoints, combined with behavioral analytics, can restore visibility.

Future Outlook

As attackers refine DNS-based file hosting, organizations should invest in unified threat intelligence platforms that correlate DNS anomalies with endpoint telemetry. Integrating threat feeds on known malicious domains and automating record takedowns will be key to staying ahead of these “DNS-native” threats.

Conclusion

By hijacking an age-old protocol designed for name resolution, threat actors have engineered a resilient, encrypted distribution channel that evades many defenses. Proactive monitoring, combined with advanced analytics and internal DNS controls, offers the best path to disrupting this emerging threat vector.