ADAMnetworks, a leader in zero trust security solutions, has revealed a sophisticated cybersecurity threat where attackers exploit DNS TXT records to distribute malware and establish command-and-control (C2) channels. This emerging tactic, which bypasses traditional security measures, underscores the need for enhanced DNS monitoring to protect enterprise networks.
Attackers exploit DNS TXT records to hide and deliver malware.
Malware is encoded in hexadecimal or base64, reassembled via DNS queries.
Used for malware assembly, C2 communications, and data exfiltration.
Encrypted DNS protocols like DoH and DoT complicate detection.
ADAMnetworks’ platform enables policy-based TXT record blocking.
Over 14,000 unique domains analyzed showed both legitimate and malicious use.
DNS TXT records, designed for tasks like email authentication (SPF, DKIM, DMARC) and domain verification, are being manipulated by cybercriminals to encode malware in hexadecimal or base64 formats. These fragments are distributed across subdomains and reassembled on infected devices through innocuous DNS queries, evading antivirus, email filters, and firewalls. “DNS TXT records are like the Swiss Army knife of domain data. Versatile for everything from spam prevention to software licensing, but this versatility makes them a prime target for abuse,” said David Redekop, Founder and CEO of ADAMnetworks.
ADAMnetworks’ analysis of over 14,000 unique fully qualified domain names (FQDNs) revealed widespread legitimate uses of TXT records, such as for Google Workspace and SSL certificate verification. However, malicious activities were also uncovered, including private IP leaks and DNS tunneling via apps like SlowDNS. Research from DomainTools identified the domain whitetreecollective[.]com hosting fragments of Joke Screenmate malware, while Infoblox noted similar tactics for deploying Cobalt Strike beacons. These findings highlight the resurgence of DNS TXT record abuse, previously considered a theoretical threat, as a significant risk since 2021-2022.
The rise of encrypted DNS protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) exacerbates the challenge, as they obscure query content from traditional monitoring tools, creating a blind spot in cybersecurity. This allows attackers to use TXT records for malware assembly, C2 communications, and data exfiltration without detection, posing a severe threat to enterprise security.
To counter this threat, ADAMnetworks recommends a “block all, allow some” approach. Their adam:ONE Zero Trust Connectivity platform (version 4.14.2-266 and later) supports policy-based TXT record blocking with exemptions for trusted domains, preventing vulnerabilities like DNS rebinding attacks while maintaining network functionality. Organizations should audit TXT record queries, implement protective DNS services, and adopt adaptive security measures to stay ahead of evolving threats.
ADAMnetworks’ findings emphasize the urgent need for proactive DNS monitoring and robust security policies to safeguard against the sophisticated abuse of DNS TXT records, ensuring organizations can maintain secure and resilient networks.
ADAMnetworks specializes in Zero Trust Connectivity solutions to ensure the highest level of security. Our core offerings include a Default Deny-All security platform that utilizes AI-driven dynamic allowlisting and our patented egress control technology to proactively defend against cyber threats.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.