DNS Records Hacking: Here's What You Should Know
Cybercriminals are good at one thing: finding new ways to slip past defenses. Lately, one of their tricks has been hiding malicious code in a place most IT teams barely glance at DNS TXT records. Yes, the same DNS system that helps your browser find websites is now being twisted into a covert delivery service for malware. But the cleverness isn't just in the DNS part; it's how the whole attack gets rolling.
What's Actually Happening?
Typically, DNS TXT records are usually harmless and used for things like SPF settings or domain verification. But attackers have found a way to break malware into small, encoded text fragments and store them in these records across multiple subdomains. Later, a script on an infected machine, often a simple PowerShell command, reaches out, pulls those fragments, reassembles them, and executes the malware. It's clever, quiet, and can bypass many traditional defenses.
Real-World Case: The "Joke Screenmate" Attack
Recent research by DomainTools in July 2025 uncovered a perfect example of this technique in action. Security researchers discovered malware called "Joke Screenmate" that was completely embedded within DNS TXT records. The attackers converted the malware's binary file into hexadecimal format, then split it into numerous fragments stored within separate subdomains.
The attack worked like this: once a victim's machine was compromised (typically through a phishing email), a script would systematically query these DNS records, collect all the hexadecimal fragments, reassemble them back into the original malware binary, and execute it, all while appearing as legitimate DNS traffic to most security tools.
The Numbers Behind the Trend
- 90% of malware uses DNS in its attack chain at some point.
- DNS over HTTPS (DoH) and DNS over TLS (DoT) are increasingly abused to hide malicious lookups.
- Despite DNS's critical role, most organizations spend less than 5% of their security budget on monitoring it.
It's no wonder attackers love it. DNS is both essential and under-watched.
So, How Does That Script End Up on the Machine?
Here's the key point: the DNS trick only works after something has already compromised the system. And in most cases, that something is a phishing email. Think about it, an email arrives looking like a vendor invoice or a password reset. The user clicks, a script runs silently in the background, and only then does the DNS-based part of the attack kick in. Without that first email, the DNS trick never gets a chance to run.
Why Email Security Still Matters Most
The attention around DNS-based attacks is valid, but focusing only on DNS misses the bigger picture. If you can stop the malicious script from arriving in the first place, you've stopped the attack entirely. That's why the email layer remains one of the most critical lines of defense. Blocking phishing attempts, quarantining suspicious files, and catching links that lead to malicious links lets your security stack stop the problem where it starts, not where it ends.
Conclusion:
Yes, malware can hide in DNS. But it doesn't get there on its own.
Before the PowerShell command runs, before the DNS records are queried, and before the malware is reassembled, there's usually an email. That's why strong email filtering and threat detection at the gateway matter more than ever. This sophisticated evasion is meaningless if the initial email never reaches the target. Layered security with robust email filtering remains fundamental. It's far more efficient to block the attack at the email gateway than to detect DNS-based command and control after compromise.
This is exactly the foundational work that email security solutions handle behind the scenes every day: scanning attachments, filtering suspicious links, and blocking phishing attempts that would otherwise launch complex attack chains. At Xeams, we see this reality firsthand: stop the email, stop the entire attack sequence. When it comes to DNS-based malware, the best defense isn't chasing clever new tricks. It's stopping the attack before it even begins.
| Created on: | Aug 18, 2025 |
| Last updated on: | Aug 21, 2025 |