Hackers Hide Malware In DNS Records To Evade Detection

Image by Adrien, from Unsplash

Hackers Hide Malware In DNS Records To Evade Detection

Reading time: 2 min

Last Updated: Jul 18, 2025

Cybersecurity researchers have discovered a new, stealthy hacking technique, which hides malware inside DNS records.

In a rush? Here are the quick facts:

  • Hackers are hiding malware inside DNS TXT records of legitimate-looking domains.
  • Malware is split into tiny hex chunks and reassembled using DNS queries.
  • Attackers also used DNS to launch prompt injection attacks on AI bots.

Attackers use this technique to evade traditional security tools by embedding dangerous code in areas that most systems do not inspect, as first reported by ArsTechnica.

The Domain Name System (DNS) functions as a system that converts website names into IP addresses. Hackers now employ DNS as an unorthodox data storage solution.

Researchers at DomainTools detected attackers embedding malware within TXT records of the domain whitetreecollective[.]com. The records, which serve to prove website ownership, contained numerous small text fragments which, when merged, formed malicious files.

The malware included a file for ‘‘Joke Screenmate’’, which functions as a type of nuisance software that disrupts normal computer use. The attackers transformed the file into hexadecimal format before distributing it through various subdomains. A network administrator who possesses access to the system can quietly gather these chunks through DNS requests that appear harmless.

“Even sophisticated organizations with their own in-network DNS resolvers have a hard time delineating authentic DNS traffic from anomalous requests, so it’s a route that’s been used before for malicious activity,” said Ian Campbell, senior security operations engineer at DomainTools, as reported by ArsTechnica.

“The proliferation of DOH and DOT contributes to this by encrypting DNS traffic until it hits the resolver, which means unless you’re one of those firms doing your own in-network DNS resolution, you can’t even tell what the request is, no less whether it’s normal or suspicious,” Campbell added.

Campbell discovered that certain DNS records served as platforms to execute prompt injection attacks against AI chatbots. These hidden commands attempt to trick bots into leaking data or disobeying rules.

Said Campbell: “Like the rest of the Internet, DNS can be a strange and enchanting place.”

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback