All news with #dns tunneling tag

🐼 Kaspersky attributes a targeted espionage campaign to the China-linked APT cluster tracked as Evasive Panda, which used DNS cache and response poisoning between November 2022 and November 2024 to deliver the MgBot backdoor to victims in Türkiye, China, and India. The intrusions relied on multi-stage AitM techniques, trojanized updates, and per-victim encrypted payloads fetched via legitimate domains to maintain stealth. Kaspersky highlights the actor's long-term refinement of these methods to evade detection.

🛡️ Infoblox links a threat actor dubbed Detour Dog to campaigns distributing the Strela Stealer, using compromised WordPress sites to host first-stage backdoors such as StarFish. The actor leverages DNS TXT records and modified name servers to deliver Base64-encoded commands and delivery URLs, selectively triggering redirects or remote execution to minimize detection. Infoblox and Shadowserver sinkholed multiple C2 domains in July–August 2025.

🔒 Domain-based attacks that exploit DNS and registered domains are rising in frequency and sophistication, driven heavily by AI. Attackers increasingly blend website spoofing, email domain impersonation, subdomain hijacking, DNS tunnelling and automated domain-generation (DGAs) to scale campaigns and evade detection. Many proven protections—Registry Lock, DNSSEC, DNS redundancy and active domain monitoring—remain underused, leaving organizations exposed. Security teams should adopt preemptive scanning, layered DNS controls, strict asset ownership and employee training to limit impact.