A new malware toolkit dubbed Decoy Dog has been discovered targeting enterprise networks. Decoy Dog employs evasive techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion. "Decoy Dog is a cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level," Infoblox said in an advisory published late last month. The cybersecurity firm, which identified the malware in early April 2023 following anomalous DNS beaconing activity, said its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure. That said, the usage of Decoy Dog in the wild is "very rare," with the DNS signature matching less than 0.0000027% of the 370 million active domains on the internet, according to the California-based company. One of the chief components of the toolkit is Pupy RAT, an open source trojan that's delivered by means of a method called DNS tunneling, in which DNS queries and responses are used as a C2 for stealthily dropping payloads.
top of page
bottom of page