A new cybersecurity threat is emerging as attackers use DNS records—the very system that directs internet traffic—to hide malware. Instead of relying on email attachments or suspicious downloads, bad actors are embedding malicious payloads into DNS TXT records. This method sneaks malicious code past traditional defenses because security tools often ignore DNS traffic.
DNS, or Domain Name System, acts like the internet’s phonebook, translating domain names into IP addresses. It is so fundamental and routine that most security systems allow it without scrutiny. That makes it a perfect hiding place. According to researchers at Infoblox, attackers are disguising shellcode—malicious binary instructions—inside base64-encoded TXT records. These look like harmless text but are reassembled and executed by compromised devices once fetched.
Infoblox’s report, highlighted by Ars Technica, confirms that attackers are leveraging this DNS loophole to load remote access tools like Cobalt Strike, a known menace in cyberattacks . By tunneling commands and data requests through DNS lookups, attackers avoid triggering intrusion detection systems that watch only web or email traffic. This tactic operates silently and avoids common warnings tied to downloads or file sharing.
DomainTools, another cybersecurity firm, recently discovered harmless files embedded in DNS too, proof that this technique is already in the wild . By storing data in TXT records, attackers can send or retrieve commands without raising suspicion. DNS responses are cached across resolvers, so malware hidden this way can lie dormant and operative for extended periods .
The practical danger is high. Any network that overlooks DNS might face data exfiltration, remote code execution, or even full Command and Control (C&C) control of infected machines—all without downloading a malicious file. And DNS traffic generally isn’t inspected because it’s assumed to be essential and trustworthy .
This isn’t just theoretical. Nation-state actors and cybercriminal groups are already experimenting with these attacks. Infoblox warns that spies and unsuspected adversaries are adopting DNS-based channels for persistent, covert access. Experts say this is especially useful for espionage in sensitive environments where stealth and persistence are vital.
The emergence of DNS-based attacks echoes older methods like DNS hijacking and cache poisoning. Those attacks redirected users to fake sites or injected malware via altered DNS responses. Now, attackers are going further by smuggling the malware itself inside DNS records—an even more insidious threat . Some attackers hijacked subdomains using dangling DNS entries, turning them into malware drop points without ever compromising a firewall.
Defenders face a tough challenge. Security tools must now parse DNS TXT records and look for anomalies. Infoblox advises filtering unusually large records, inspecting suspicious domains, and adding DNS inspection to threat detection systems . DomainTools suggests setting activity thresholds and building baselines to detect sudden spikes in TXT record size or frequency.
Further protection requires threat feeds listing domains known to host malware via DNS and using DNS-over-HTTPS systems with built-in privacy controls. But that also adds complexity and cost to already strained IT operations .
Researchers at institutions like Palo Alto Networks explain that DNS tunneling, exfiltrating data via DNS is not new. What’s changing is the use of DNS as a distributed file store. Encoding binary data into hex or base64 across TXT or subdomain fields turns DNS into a hidden channel for deploying malware. Academics have detailed how injecting strings into DNS records and cache poisoning can deliver code and crash systems, proving this isn’t just a dark web rumor .
At its core, the DNS mechanism is too trusting. Open resolvers often accept any record type, making it easy for attackers to spread malware addresses across the internet instantly, without changing infrastructure. That transparency is a convenience for administrators but now fuels this new wave of DNS-based threats .
Here’s what defenders should do:
Start inspecting DNS traffic, especially TXT records that often go unchecked. Set size limits to flag oversized records, use threat intelligence to block suspicious domains, and integrate DNS monitoring in a zero-trust model . Avoid leaving dangling DNS entries that attackers can hijack. Apply registry locks and enforce domain hygiene on critical infrastructure.
We are looking at a future where DNS is no longer a simple routing tool. It’s rapidly becoming a covert smuggling route. Attackers are increasingly finding ways to live off the DNS grid. Defenders must adapt by treating DNS like any other vector—they must watch and control it.
This marks a shift in cybersecurity. DNS was once treated as background plumbing. Now, it carries weapons. And until detection systems catch up, networks will continue facing threats from this hidden blind spot.
