ADAMnetworks, a developer of zero-trust security solutions, has identified a critical vulnerability within the Domain Name System (DNS) where threat actors are leveraging TXT records to conceal and distribute malware, effectively bypassing traditional security measures. This discovery highlights how a foundational internet protocol is being repurposed as a stealthy tool for malicious activities, posing significant risks to organizations globally.

DNS TXT records, originally intended for arbitrary text data such as email authentication (SPF, DKIM, DMARC) and domain verification, are being exploited by cybercriminals. Attackers encode malware into hexadecimal or base64 chunks, distribute these across multiple TXT records in subdomains, and then reassemble them on infected devices through innocuous DNS queries. This method enables the evasion of conventional detection mechanisms, including antivirus software, email filters, and firewalls, as DNS traffic is rarely subjected to scrutiny for malicious content.

While the concept of abusing DNS for malware is not entirely new, its recent execution, as discovered by ADAMnetworks, underscores an evolving threat. Reports from other cybersecurity firms confirm this approach is being used for malware assembly, command-and-control (C2) communications, and data exfiltration. For instance, a report from DomainTools, titled “Malware in DNS,” detailed how an actor used TXT records to store and potentially deliver ScreenMate malware and stagers for Covenant C2 frameworks as early as 2021-2022. Similarly, Infoblox’s analysis, “DNS: A Small but Effective C2 System,” described how attackers manipulate authoritative name servers to control DNS queries for data exfiltration or command issuance.

David Redekop, Founder and CEO of ADAMnetworks, commented on the issue, stating, “DNS TXT records are like the Swiss Army knife of domain data. Versatile for everything from spam prevention to software licensing, but this versatility makes them a prime target for abuse. By assembling malware on the fly via DNS, attackers evade endpoint protections, making this a blind spot for many defenses.”

Through its DNS threat intelligence sharing program, ADAMnetworks analyzed TXT record queries over the past year. This analysis revealed both legitimate and malicious patterns across over 14,000 unique fully qualified domain names (FQDNs) with more than 10 TXT queries each. Legitimate uses of TXT records remain widespread, including SPF, DKIM, and DMARC for email security; domain ownership verification for services like Google Workspace and SSL certificates; protocols such as S/MIME and TLSA for authentication; and automation for ACME certificate issuance and geolocation for content delivery networks (CDNs).

However, the analysis also exposed questionable activities. These included private IP leaks in FQDNs and unusual queries for non-public suffixes like “id.server,” which could be weaponized. Non-common applications, such as Bittorrent signaling and DNS tunneling via apps like SlowDNS on Android, were also identified as potential tools for data exfiltration. The data, reflecting queries rather than necessarily successful lookups, indicated that many were blocked by domain risk policies.

The exploitation of DNS TXT records leverages a critical blind spot in cybersecurity, as DNS traffic is frequently considered benign and essential, thus escaping the rigorous scrutiny applied to web or email traffic. The proliferation of encrypted DNS protocols, such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), further complicates detection by obscuring query content from traditional monitoring tools.

To mitigate this threat, a “block all, allow some” strategy is recommended. ADAMnetworks’ adam:ONE Zero Trust Connectivity (ZTc) platform (version 4.14.2-266 and later) now facilitates policy-based blocking of TXT records while permitting exemptions for trusted domains via forwarding rules. This approach aims to ensure internal network and critical application functionality without exposing vulnerabilities like DNS rebinding attacks. Organizations are advised against blanket blocks on public resolvers, which could disrupt global internet functionality, and instead focus on targeted, on-premises policies for practical safeguarding. As cyber threats continue to evolve, this form of DNS abuse highlights the necessity for proactive and adaptive security measures to counter detection evasion techniques.

ADAMnetworks specializes in Zero Trust Connectivity solutions, offering a Default Deny-All security platform that utilizes AI-driven dynamic allowlisting and patented egress control technology designed to proactively defend against cyber threats.