It’s no longer enough to focus security efforts on browsers and email attachments alone. A growing threat emerges from within the DNS layer itself, where attackers hide malicious code inside DNS records and use the DNS system as an inconspicuous storage and retrieval mechanism. This approach exploits a long-standing blind spot in many security architectures: the domain name system, which maps human-readable domain names to numerical addresses and, in many networks, goes largely unmonitored compared with web traffic or email streams. By embedding binaries, scripts, and instructions inside DNS constructs, adversaries can fetch harmful payloads through DNS lookups that bypass traditional defenses and rarely trigger alarms until damage occurs. This trend underscores the need to rethink DNS visibility, data exfiltration defenses, and the broader security model that governs how organizations monitor and control their network traffic.
DNS as a Blind Spot in Cyber Defense
DNS operates as the backbone of how devices find and connect to services across the internet. But because it serves a technical, essential function—resolving domain names to IP addresses—its traffic often travels through networks with limited inspection, logging, or correlation to endpoint telemetry. In many security environments, DNS queries and responses are treated as lightweight, benign plumbing rather than as critical plumbing that can carry executable content. This misperception provides an opening for adversaries to exploit the DNS protocol for covert data transfer.
The core weakness lies in how DNS traffic is treated in practice. Web and email traffic tends to be subject to more rigorous inspection, with gateway proxies, sandboxing, reputation checks, and content filtering that scrutinize URLs, attachments, and payloads. DNS, by contrast, has historically been treated as a trusted, low-risk channel because it typically conveys small, textual bits that resolve to addresses or domain ownership proofs. When queries travel encrypted—through mechanisms like DNS over HTTPS (DOH) or DNS over TLS (DOT)—the visibility gap widens. Encrypted DNS can hide the content of requests from intermediaries, making it harder for enterprise security stacks to distinguish ordinary resolution from suspicious or malicious activity.
This normalization of DNS traffic as an unmonitored path creates an opportunity for attackers. If malware can deposit small fragments of a binary or script into DNS records, it can then have a compromised internal host quietly retrieve those fragments piece by piece through routine DNS lookups. The end result is a stealthy supply chain of data that travels under the radar of many security controls, enabling early-stage malware, command-and-control-like behavior, or data exfiltration to occur without triggering conventional alerts. In practice, this means that even well-defended networks with robust perimeter controls can be blindsided by a DNS-based exploitation that does not resemble traditional infection vectors.
The Encoded Storage Paradigm
A key feature of this stealth technique is the deliberate use of encoding and fragmentation. Attackers convert binary payloads into hexadecimal or other textual encodings so that the content can be stored within DNS record structures, which are designed to carry strings of text. This encoding makes the payload appear innocuous enough to blend into the noise of DNS traffic and DNS record updates, while still preserving the ability to reconstruct the original binary data on the other end.
To distribute the payload, adversaries commonly break the encoded data into hundreds of discrete chunks. Each chunk is then embedded into a DNS record associated with a subdomain under a domain controlled by the attacker. The TXT record, in particular, is a DNS resource record type that is designed to store arbitrary text. TXT records have legitimate uses—such as domain ownership verification for services, SPF records for email authentication, and other textual data—so leveraging TXT records can help the payload avoid immediate suspicion. The result is a chain of small textual fragments that, when queried in the correct sequence, can be reassembled into the original binary form.
This storage strategy leverages the natural granularity and hierarchical structure of DNS. Attackers create a domain under their control, then generate a subdomain for each payload fragment. For example, a domain owner might configure a series of subdomains like fragment1.domain.tld, fragment2.domain.tld, and so forth, with the content of each fragment stored within separate TXT records. When an infected host executes a series of benign-looking DNS requests, it can retrieve the fragments, piece them together, and reconstruct the original binary for execution or further download. The technique gains resilience because it relies on standard DNS behavior rather than bespoke network traffic patterns that defenders typically watch for.
Why This Works in Real-World Environments
Several factors contribute to the effectiveness of DNS-stored payloads in real networks. First, DNS queries and responses are ubiquitous across virtually every network boundary, including enterprise networks, home networks, and mobile environments. The sheer volume of DNS activity makes anomalies harder to detect without specialized analytics. Second, many organizations lack end-to-end visibility into recursive DNS resolution, especially when third-party resolvers are involved or when encrypted DNS is employed. Without full visibility, it becomes challenging to differentiate legitimate DNS behavior from malicious patterns.
Third, the use of TXT records is notable because of their permissible function. TXT records are versatile and can hold arbitrary text, making them suitable as a vessel for hexadecimal payload fragments. The fact that TXT records appear in legitimate domain ownership verifications and configuration processes can dull suspicion when investigators observe routine DNS updates. Finally, the technique benefits from the encryption trend around DNS transport. DOH and DOT encrypt DNS queries and responses, making it harder for defenders to inspect the request payload or even confirm the purpose of a given query without decrypting the traffic at the resolver. This encryption becomes a force multiplier for attackers because it reduces opportunities for early detection and containment.
In practice, defenders must contend with a multi-layered cat-and-mouse game. On one hand, attackers attempt to blend payloads into ordinary DNS record updates and avoid spikes in volume. On the other hand, defenders must look for subtler signals: unusual query patterns, abnormal distributions of fragment counts among subdomains, or discrepancies between expected and observed TXT record sizes. The encryption introduced by DOH and DOT further complicates this analysis, requiring more sophisticated telemetry and correlation capabilities to identify suspicious DNS behavior without disrupting legitimate privacy-preserving features.
The Role of Subdomains and TXT Records in the Attack Chain
The mechanics hinge on subdomains and TXT records in a precise arrangement. An attacker may register or compromise a domain and then allocate hundreds of subdomains under that domain. Each subdomain hosts a TXT record containing a fragment of the encoded payload. The attacker then relies on the target environment to perform a sequence of DNS lookups that retrieve these fragments in the intended order, enabling reconstruction of the original binary content. The fragmentation adds resilience; losing a single fragment or a misordered sequence can render the reconstruction impossible or require retransmission, which can itself trigger detection if observed at scale.
This approach also suggests a potential risk surface for domain registrars and DNS hosting providers. If adversaries can rapidly provision large numbers of subdomains to host payload fragments, it becomes crucial for registrars to monitor anomalous provisioning patterns and for DNS zones to implement rate-limiting and anomaly detection. However, the deployment of encrypted DOH/DOT traffic complicates any centralized natural-language review of these patterns. It is not just about what records exist, but about how clients issue DNS queries to retrieve the relevant fragments and how those queries are scheduled, spaced, and correlated with other network activity.
The Mechanics: Encoding, Chunks, and TXT Records
This section delves into the concrete steps attackers take to hide and retrieve malicious content within DNS records. The fundamental concept is to repurpose DNS data structures—specifically TXT records—as containers for encoded data. The process typically begins with choosing a target payload, which could be a binary executable, a script, or a data file intended for later execution on a compromised machine. The payload is then converted into a textual representation that is compatible with DNS record storage. A common encoding approach is hexadecimal encoding, which uses the digits 0–9 and the letters A–F to represent binary data succinctly.
Once encoded, the data is segmented into a large number of small chunks. Each chunk corresponds to a fragment of the original payload and is assigned to a unique DNS record within a domain hierarchy controlled by the attacker. The TXT records provide a flexible channel for storing arbitrary text data, allowing each fragment to be embedded as a discrete block of text within its respective TXT record. The attack campaign then relies on the infected host making DNS requests to retrieve the fragments, often in a predefined sequence to ensure proper reconstruction.
The choice of a subdomain structure is deliberate. By distributing payload fragments across many subdomains of a given domain, attackers create a robust retrieval path that can adapt to partial network visibility. If some fragments are not retrievable due to filtering or DNSSEC constraints, there is a potential fallback path or retry logic that can be implemented. The entire operation hinges on the ability of a compromised host to execute a controlled set of DNS queries that align with the fragmentation scheme. The retrieved fragments are then reassembled on the host and decoded back into their binary form for execution or further exploitation.
This technique has the advantage of leveraging legitimate DNS traffic, which is routinely allowed through firewalls and security appliances. Since DNS is essential for name resolution, blocking or restricting DNS completely is rarely feasible without crippling network functionality. Even in environments with strict DNS controls, the use of subdomains under attacker-owned domains can enable covert channels because the primary traffic appears ordinary or unremarkable within the broader DNS landscape. The accumulation of many small fragments for a substantial payload also helps avoid large, sudden data transfers that could trigger anomaly detection thresholds.
A Real-World Instance: Hex-Encoded Binaries and TXT Records
Researchers from prominent security research teams observed a real-world example where a malicious binary was hosted inside DNS TXT records, encoded in hexadecimal form and spread across multiple subdomains under a single malicious domain. In this instance, the network of fragments was designed to deliver a binary payload to a compromised system by reconstructing the original file after receiving all the fragments. The fragmentation was extensive, producing hundreds of discrete TXT records, each representing a fragment of the encoded payload. The attacker leveraged this method to create a resilient and covert data delivery channel that could thwart surface-level inspections while remaining compatible with standard DNS operations.
The domain structure played an important role. The attacker used a domain under which hundreds of distinct subdomains hosted the TXT records containing the payload fragments. An advanced stage of the operation would involve a victim machine issuing a sequence of DNS queries to retrieve these fragments in order, followed by local assembly and decoding of the binary. The use of hexadecimal encoding ensures a compact textual representation that can be stored within TXT records without triggering obvious red flags. The obfuscated nature of the payload and the reliance on the normal functioning of DNS lookups combine to form a discreet delivery mechanism that can operate across diverse network environments.
As defenses adapt, defenders increasingly scrutinize DNS behavior at the level of subdomain issuance, TXT record densities, and the timing of query bursts. A high volume of TXT record read requests from a single host or unusual access patterns to a domain that otherwise exhibits normal DNS activity can be a signal worth investigating. Yet, the encryption of DNS traffic via DOH and DOT introduces additional blind spots. If the content of the requests is encrypted, it becomes more challenging for network defenders to determine whether the payload fragment is benign or malignant. In response, security teams are turning to endpoint-centric detections and enhanced DNS telemetry, combining resolver-side analytics with host-based monitoring to reconstruct a full picture of DNS-driven attacks.
The Role of DoH and DOT in Complicating Defenses
The modern trend toward encrypting DNS traffic—via DOH (DNS over HTTPS) and DOT (DNS over TLS)—is designed to protect user privacy and reduce eavesdropping on name-resolution queries. However, this privacy enhancement has unintended security consequences when domain-name resolution is exploited as part of an attack. Encrypted DNS traffic suppresses straightforward in-network inspection of the specifics of DNS queries and responses. Without visibility into the contents of DNS messages, security tools cannot reliably distinguish between legitimate, routine lookups and covert attempts to fetch hidden payload fragments.
This encryption also affects telemetry quality. In organizations that rely on centralized in-network DNS resolvers, encryption means that operators cannot easily differentiate internal, trusted DNS traffic from malicious requests without decrypting at the resolver level. If security teams do not operate their own resolvers or fail to implement comprehensive in-network DNS resolution, they may lose the capability to label DNS traffic accurately. The practical outcome is that even suspicious patterns—such as repeated requests to retrieve hundreds of fragments from a subdomain-based payload—might not be detected as quickly as they would be if DNS traffic were fully observable.
From a defensive stance, this creates a twofold challenge. First, there is a need to enhance visibility into DNS behavior at the endpoint and network layers in a privacy-preserving way. Second, defenders must explore complementary signals that do not rely solely on packet contents, such as query timing, frequency, distribution across subdomains, and correlation with endpoint execution events. This holistic view helps identify potential DNS-driven data exfiltration or payload delivery even when the contents of the DNS traffic remain opaque to network sensors. The evolution toward encrypted DNS underscores the importance of robust endpoint detection, behavior-based analytics, and orchestration across security layers to maintain a resilient security posture.
The Case Study: Joke Screenmate and the Hexadecimal Payload in DNS TXT Records
Researchers recently highlighted a notable example illustrating how attackers leverage DNS-based storage for malignant payloads. In this case, a strain of nuisance software—known for interfering with normal computer functions—was found to be hosted in a hexadecimal representation distributed across a large set of DNS TXT records. The technique began with converting the binary payload into hexadecimal encoding, a compact textual representation that can be stored in TXT records. The hex-encoded data was then segmented into hundreds of fragments and placed into the TXT records hosted in the subdomains of a domain controlled by the attacker.
The specific arrangement involved stashing the fragments inside TXT records associated with a variety of subdomains under a single control domain. The attacker’s objective was to enable an infected machine to retrieve each fragment by issuing a corresponding DNS lookup sequence. When all fragments were retrieved, the host would reassemble them and decode them back into the original binary. This binary could then be executed or saved for later use as part of a larger malware workflow. The method demonstrates how a seemingly benign DNS mechanism can be repurposed as a covert data delivery channel that can bypass many conventional defenses.
Researchers emphasized the importance of DNS traffic analysis, noting that the approach exploits the fact that many organizations lack end-to-end visibility into in-network DNS traffic. The use of TXT records, given their legitimate roles in domain verification and service configuration, further complicates the detection process. The incident also underscored how encryption trends—such as DOH and DOT—can amplify the stealthiness of DNS-based payload delivery by masking the content of DNS requests as they traverse the network. In light of these findings, defenders are urged to consider enhanced DNS telemetry, anomaly detection focused on unusual fragmentation patterns, and a proactive approach to monitoring DNS zone configurations and subdomain proliferation that might indicate covert data channels.
The DoH/DOT Dimension in Practice
The implication of encrypted DNS traffic is particularly pronounced when considering the Joke Screenmate-like technique. Attackers can continue to rely on the structure and semantics of DNS while obscuring the actual payload contents from intermediary monitors. This separation between “where data is stored” and “what the data means” can be exploited to keep detection thresholds low and reaction times delayed. Incident responders must adapt by prioritizing novel heuristics for DNS investigations that do not depend on payload content, as well as strengthening endpoints to recognize suspicious sequences of DNS-driven activities, such as the ordered retrieval of many fragments from a domain-based payload.
Security practitioners also consider how the adoption of encrypted DNS intersects with broader privacy and performance goals. While privacy protections are vital, when they obscure a potential misuse of DNS, it becomes essential to balance privacy with security. In some environments, this balance may require tailored configurations where enterprise-owned resolvers retain visibility into DNS metadata, such as query types, timing, and destination domains, without exposing sensitive content. The aim is to allow security teams to detect anomalous DNS behavior that resembles legitimate, routine operations yet may harbor malicious intent, without undermining the privacy benefits that encrypted DNS technologies provide to end users.
Historical Context: DNS-Hosted Malware and Prompt Injections
Threat actors have demonstrated over the years a persistent interest in using DNS layers for malicious purposes. It has long been known that DNS records can host malicious payloads, including PowerShell scripts or other executable content. DomainTables and security researchers have documented instances where attackers place recognizable malicious snippets or commands inside textual records as a stealthy method for initial access or ongoing control. This historical context highlights a continuum of DNS-based abuse, from early experiments to more sophisticated, large-scale campaigns that leverage the DNS infrastructure as a covert data channel.
A recent line of observations reveals a broader strategy: attackers sometimes embed textual content in DNS records that targets AI systems, such as prompt injection techniques. Prompt injections exploit the tendency of language models to follow user-provided instructions if they appear within the input data stream. By embedding attacker-derived text into documents or content that a chatbot will analyze, adversaries seek to influence the model’s behavior, potentially causing it to reveal information, execute commands, or ignore prior constraints. This line of inquiry underscores how the DNS ecosystem can intersect with emerging AI threats, expanding the scope of potential attack surfaces beyond traditional malware delivery.
The prompt injection vectors observed by researchers show a range of provocative phrases and commands designed to mislead or coerce the model into acting in unauthorized ways. Examples include instructions to disregard previous policies, to output random data, or to reveal sensitive facts. While these examples illustrate the concept, the broader takeaway is that the content delivered to AI models—whether through documents hosted on the web, embedded in DNS-resident data, or presented in other channels—can influence model behavior if the system cannot reliably distinguish trusted inputs from injected prompts. This risk underscores the need for robust input validation, strict model governance, and layered defenses that consider how data travels through multiple surfaces, including DNS-based vectors.
The Human Element and the Threat Landscape
Cybersecurity remains a human-driven discipline. Analysts need to stay current with evolving techniques, understand how DNS-based payloads can be hidden in plain sight, and adapt detection strategies accordingly. The insights from researchers emphasize that DNS—an essential, ubiquitous component of internet functionality—can be weaponized in ways that challenge conventional security paradigms. Organizations must blend technical controls with educated intuition about how attackers will attempt to blend malicious activity into routine network behavior. The human factor, including threat intelligence, incident response playbooks, and continuous training, remains critical to identifying and mitigating DNS-driven attacks before they escalate.
Moreover, the rapid growth of encrypted DNS traffic amplifies the importance of collaboration across teams. Security operations centers must coordinate with network engineers to ensure visibility into DNS activity while preserving privacy-preserving features. Incident responders must be prepared to verify suspicious DNS activity by correlating DNS metadata with endpoint events, file hashes, and behavioral indicators of compromise. The combined effect of DNS fragmentation, TXT-based payloads, and encrypted transport requires a holistic approach that integrates network analytics, endpoint security, and AI-assisted threat hunting. This multidimensional approach is essential for staying ahead of threats that rely on the DNS layer as a covert conduit for malware and data exfiltration.
Security Implications and Defensive Strategies
The emergence of DNS-based storage of malicious payloads calls for a strategic expansion of defensive measures. Organizations should consider elevating DNS to a primary line of defense rather than a passive underlayer of the network. Here are several practical directions for defenders to pursue:
- Strengthen DNS telemetry and monitoring: Collect rich DNS metadata, including query domains, subdomain proliferation patterns, and the frequency and sequencing of TXT-record lookups. Build anomaly-detection rules that flag rapid, large-scale fragmentation patterns or unusual subdomain trees associated with a single domain.
- Invest in in-network DNS visibility: If feasible, operate in-network resolvers where security teams can observe DNS queries and identify suspicious patterns even when clients use encrypted transports. This requires balancing privacy considerations with the need for security visibility and may involve selected decryption or metadata-only capabilities at controlled points.
- Analyze DNS zone updates and registration activity: Monitor the creation and modification of subdomains, TXT records, and TTL configurations that could indicate payload dissemination. Mining these signals can reveal stealthy campaigns that rely on high-volume subdomain issuance.
- Correlate DNS with endpoint events: Integrate DNS telemetry with endpoint detection and response (EDR) telemetry to connect DNS fragment retrieval events with process creation, script execution, or binary decoding on host machines. This cross-domain correlation can provide stronger evidence of malicious activity than DNS signals alone.
- Harden TXT usage patterns: Because TXT records can carry arbitrary text, there is a risk of false positives; however, a sudden surge in TXT records across subdomains, combined with unusual fragment distributions, warrants closer examination. Establish baselines for legitimate TXT record use and monitor deviations that align with known adversary techniques.
- Enforce least-privilege domain provisioning: Implement governance around DNS domain creation and subdomain delegation. Limit rapid, automated provisioning by enforcing verification steps and rate limits, and require anomaly detection when a single domain spawns hundreds of TXT-based payload fragments.
- Promote secure DNS configurations across the organization: Encourage the use of secure and trusted DNS resolvers, monitor for unexpected reliance on third-party resolvers, and deploy DNS firewall features that can block suspicious domains or query patterns while still enabling legitimate operations.
- Educate and prepare incident response teams: Provide training on DNS-based attack patterns, ensure that incident response playbooks include steps for investigating DNS-driven payload delivery, and practice tabletop exercises that simulate the retrieval and reconstruction of hex-encoded payloads from TXT records.
Operational Readiness and Policy Implications
In addition to technical defenses, organizations should address policy and process considerations. Security teams need clear playbooks that specify how to handle suspected DNS-based attacks, including steps for data collection, forensics, and containment. Enterprise risk management should incorporate the evolving threat profile of DNS-based payload delivery into overall risk assessments, ensuring that security budgets allocate resources for advanced DNS monitoring, endpoint hardening, and cross-team collaboration. Finally, privacy considerations must be balanced against security needs, particularly in environments that rely on privacy-preserving DNS technologies. This balance requires thoughtful policy development and ongoing stakeholder engagement to ensure that privacy protections do not unintentionally create dangerous gaps in threat detection.
The Evolving Threat Landscape: Implications for Defense and Response
The DNS-based storage and retrieval techniques represent a shift in how attackers approach initial access and payload delivery. Rather than relying solely on phishing emails, drive-by downloads, or direct command-and-control channels, adversaries are exploiting the trust and ubiquity of DNS to move data quietly through a network. This evolving threat landscape calls for a broader, more integrated defense strategy that considers the DNS layer as a critical control point rather than a peripheral system.
Detection is not only about identifying harmful payloads at the endpoint but also about recognizing patterns that signal the orchestration of DNS-based attacks. The emergence of encrypted DNS traffic compounds the challenge and requires security teams to adopt more sophisticated analytics, enhanced correlation across logs, and a willingness to invest in specialized tooling that can analyze DNS metadata without sacrificing user privacy. It is essential to foster a security culture that acknowledges DNS as a potential attack vector and to translate that awareness into concrete protections, procedural changes, and ongoing monitoring.
The Takeaway: DNS Is a Frontline in Modern Cybersecurity
The techniques described—embedding payloads within DNS TXT records, fragmenting data across hundreds of subdomains, and leveraging encoding schemes—demonstrate how attackers can turn a fundamental internet protocol into a covert data channel. The combination of DNS as an essential, often under-scrutinized service with the rising adoption of encryption creates a fertile environment for such abuse. For defenders, the task is to elevate DNS to a visible, monitored, and governed component of the security architecture, ensuring that ordinary DNS functionality does not become a blind spot for malware delivery or covert data exfiltration.
Organizations must invest in a multi-layered approach that includes enhanced DNS telemetry, endpoints capable of recognizing DNS-driven payload construction, and cross-functional collaboration between network operations, security operations, and incident response teams. By developing comprehensive strategies that address DNS fragmentation, TXT record usage, and encrypted DNS transport, defenders can improve their ability to detect and disrupt DNS-based attacks while preserving the privacy benefits that modern DNS technologies provide.
Conclusion
The discovery that attackers exploit DNS records to store and retrieve malicious payloads highlights a persistent truth in cybersecurity: every layer of a network can become a vector for compromise if left unmanaged. DNS, a cornerstone of internet functionality, can be repurposed into a stealthy delivery mechanism that evades conventional defenses when traffic remains encrypted or opaque to security tooling. The Joke Screenmate example and related observations illustrate how hex-encoded binaries can be fragmented and hidden across TXT records, awaiting retrieval by a compromised host. This approach underscores the need for a proactive stance on DNS monitoring, deeper telemetry, and a holistic defense strategy that unites network visibility with endpoint analytics, threat intelligence, and robust incident response capabilities.
Audiences should recognize that encrypted DNS, while delivering privacy advantages, also presents a challenge for defenders seeking to maintain visibility into potential abuse. Building resilience against DNS-based payload delivery requires a balanced integration of privacy-preserving technologies with security controls that can detect suspicious patterns in DNS usage, even when the exact payload remains encrypted. The evolving threat landscape demands ongoing adaptation, investment in advanced detection capabilities, and ongoing collaboration among security teams to ensure that the DNS layer—including TXT records, subdomain structures, and fragment-based payload delivery—is not a silent ally for attackers but a monitored, defended component of a sound cybersecurity posture.
