DNS Threat Intelligence Exposed an Infostealer: Deep Dive | EfficientIP<\/title>  <meta name=\"description\" content=\"How DNS Threat Intelligence Exposed a Zero-Day Infostealer: Deep Dive The internet is rife with hidden threats that often go undetected until they strike - unless you know where to look. In a remarkable case of DNS Zero-Day Infostealer Detection, EfficientIP\u2019s DNS Threat Intelligence exposed and blocked a previously unknown infostealer that leverages DNS infrastructure\"> <meta name=\"robots\" content=\"max-snippet:-1, max-image-preview:large, max-video-preview:-1\"> <meta name=\"author\" content=\"Karim Hossen\"> <meta name=\"google-site-verification\" content=\"google-site-verification=H0c1O7ZE7N1TjIz_JSYJiR3coR6om020-rZnV-Elrvo\"> <meta name=\"keywords\" content=\"data exfiltration,ddi solutions,dns,dns security,dns threat intelligence,enterprise network security,threat detection,threat investigation\"> <link rel=\"canonical\" href=\"https:\/\/efficientip.com\/blog\/dns-threat-intelligence-exposed-an-infostealer-deep-dive\/\"> <meta name=\"generator\" content=\"All in One SEO Pro (AIOSEO) 4.8.1.1\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:site_name\" content=\"EfficientIP\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"DNS Threat Intelligence Exposed an Infostealer: Deep Dive | EfficientIP\"> <meta property=\"og:description\" content=\"How DNS Threat Intelligence Exposed a Zero-Day Infostealer: Deep Dive The internet is rife with hidden threats that often go undetected until they strike - unless you know where to look. In a remarkable case of DNS Zero-Day Infostealer Detection, EfficientIP\u2019s DNS Threat Intelligence exposed and blocked a previously unknown infostealer that leverages DNS infrastructure\"> <meta property=\"og:url\" content=\"https:\/\/efficientip.com\/blog\/dns-threat-intelligence-exposed-an-infostealer-deep-dive\/\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-1.jpg\"> <meta property=\"og:image:secure_url\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-1.jpg\"> <meta property=\"og:image:width\" content=\"1200\"> <meta property=\"og:image:height\" content=\"628\"> <meta property=\"article:tag\" content=\"data exfiltration\"> <meta property=\"article:tag\" content=\"ddi solutions\"> <meta property=\"article:tag\" content=\"dns\"> <meta property=\"article:tag\" content=\"dns security\"> <meta property=\"article:tag\" content=\"dns threat intelligence\"> <meta property=\"article:tag\" content=\"enterprise network security\"> <meta property=\"article:tag\" content=\"threat detection\"> <meta property=\"article:tag\" content=\"threat investigation\"> <meta property=\"article:published_time\" content=\"2025-05-26T11:41:18+00:00\"> <meta property=\"article:modified_time\" content=\"2025-05-26T11:43:12+00:00\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/EfficientIP\/\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:site\" content=\"@efficientip\"> <meta name=\"twitter:title\" content=\"DNS Threat Intelligence Exposed an Infostealer: Deep Dive | EfficientIP\"> <meta name=\"twitter:description\" content=\"How DNS Threat Intelligence Exposed a Zero-Day Infostealer: Deep Dive The internet is rife with hidden threats that often go undetected until they strike - unless you know where to look. In a remarkable case of DNS Zero-Day Infostealer Detection, EfficientIP\u2019s DNS Threat Intelligence exposed and blocked a previously unknown infostealer that leverages DNS infrastructure\"> <meta name=\"twitter:creator\" content=\"@efficientip\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-1.jpg\"> <meta name=\"twitter:label1\" content=\"Written by\"> <meta name=\"twitter:data1\" content=\"Karim Hossen\"> <meta name=\"twitter:label2\" content=\"Est. reading time\"> <meta name=\"twitter:data2\" content=\"7 minutes\">   <link rel=\"dns-prefetch\" href=\"\/\/browser.sentry-cdn.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.fontawesome.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/pro.fontawesome.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/fonts.googleapis.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/www.google.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/salesiq.zohopublic.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/css.zohocdn.com\">\n<link href=\"https:\/\/fonts.gstatic.com\" crossorigin rel=\"preconnect\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"EfficientIP \u00bb Feed\" href=\"https:\/\/efficientip.com\/feed\/\">\n<link data-minify=\"1\" rel=\"stylesheet\" id=\"fontawesome-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/releases\/v5.5.0\/css\/all.css?ver=1748015383\" type=\"text\/css\" media=\"all\">\n<link data-minify=\"1\" rel=\"stylesheet\" id=\"fonts-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-content\/themes\/beaverwarrior\/assets\/fonts\/fonts.css?ver=1748015383\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"wp-block-library-css\" href=\"https:\/\/efficientip.com\/wp-includes\/css\/dist\/block-library\/style.min.css?ver=6.8.1\" type=\"text\/css\" media=\"all\"> <link data-minify=\"1\" rel=\"stylesheet\" id=\"font-awesome-5-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/releases\/v5.15.4\/css\/all.css?ver=1748015383\" type=\"text\/css\" media=\"all\">\n<link data-minify=\"1\" rel=\"stylesheet\" id=\"dashicons-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-includes\/css\/dashicons.min.css?ver=1748015383\" type=\"text\/css\" media=\"all\"> <link data-minify=\"1\" rel=\"stylesheet\" id=\"bootstrap-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-content\/themes\/bb-theme\/css\/bootstrap.min.css?ver=1748015383\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"space-station-main-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/background-css\/1\/efficientip.com\/wp-content\/uploads\/beaverwarrior\/skin-68246b7e44055.css?wpr_t=1748245825\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"slick-slider-css\" href=\"https:\/\/efficientip.com\/wp-content\/themes\/beaverwarrior\/assets\/vendor\/slick\/slick\/slick.css\" type=\"text\/css\" media=\"all\"> <link data-minify=\"1\" rel=\"stylesheet\" id=\"tablepress-default-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-content\/plugins\/tablepress\/css\/build\/default.css?ver=1748015383\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"fl-builder-google-fonts-123a601186055288986484015a249e40-css\" href=\"\/\/fonts.googleapis.com\/css?family=Poppins%3A600&ver=6.8.1\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/efficientip.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/efficientip.com\/wp-json\/wp\/v2\/posts\/78564\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/efficientip.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/efficientip.com\/?p=78564\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/efficientip.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fefficientip.com%2Fblog%2Fdns-threat-intelligence-exposed-an-infostealer-deep-dive%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/efficientip.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fefficientip.com%2Fblog%2Fdns-threat-intelligence-exposed-an-infostealer-deep-dive%2F&format=xml\">\n<noscript><\/noscript><br \/>\n<br \/>\n <link rel=\"icon\" href=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-32x32.png\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-192x192.png\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-180x180.png\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-270x270.png\"> <noscript><\/noscript> <noscript> <\/noscript><br \/>\n<meta name=\"generator\" content=\"WP Rocket 3.18.3\" data-wpr-features=\"wpr_lazyload_css_bg_img wpr_delay_js wpr_defer_js wpr_minify_js wpr_lazyload_images wpr_lazyload_iframes wpr_image_dimensions wpr_minify_css wpr_preload_links wpr_desktop wpr_dns_prefetch\"><\/head><body class=\"wp-singular post-template-default single single-post postid-78564 single-format-standard wp-embed-responsive wp-theme-bb-theme wp-child-theme-beaverwarrior fl-builder-2-8-5-1 fl-themer-1-4-11-2 fl-theme-1-7-16 fl-theme-builder-footer fl-theme-builder-footer-footer fl-theme-builder-singular fl-theme-builder-singular-blog-inner fl-theme-builder-header fl-theme-builder-header-header-for-white-bg fl-framework-bootstrap fl-preset-default fl-full-width fl-has-sidebar fl-search-active has-blocks\" itemscope=\"itemscope\" itemtype=\"http:\/\/schema.org\/WebPage\" data-offcanvas-hover-min data-utmpreserve-preserve data-utmpreserve-forminject id=\"readabilityBody\"> <a aria-label=\"Skip to content\" class=\"fl-screen-reader-text\" href=\"https:\/\/efficientip.com\/blog\/dns-threat-intelligence-exposed-an-infostealer-deep-dive\/#fl-main-content\">Skip to content<\/a> <\/p>\n<div class=\"fl-page-content\" itemprop=\"mainContentOfPage\">\n<div class=\"fl-builder-content fl-builder-content-1797 fl-builder-global-templates-locked\" data-post-id=\"1797\">\n<div class=\"fl-row fl-row-full-width fl-row-bg-none fl-node-3wko4tveyu8f fl-row-default-height fl-row-align-center\" data-node=\"3wko4tveyu8f\">\n<div class=\"fl-row-content-wrap\">\n<div class=\"fl-row-content fl-row-fixed-width fl-node-content\">\n<div class=\"fl-col-group fl-node-ql4karf5bwmy\" data-node=\"ql4karf5bwmy\">\n<div class=\"fl-col fl-node-j7nz3ua9yrme fl-col-bg-color fl-col-small\" data-node=\"j7nz3ua9yrme\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-rich-text fl-node-t7brk9mjsiu4\" data-node=\"t7brk9mjsiu4\" readability=\"32\">\n<div class=\"fl-module-content fl-node-content\" readability=\"34\">\n<p><h3>Get the latest news, invites to events, and much more<\/h3>\n<\/p><\/div>\n<\/div><\/div>\n<\/div>\n<div class=\"fl-col fl-node-6ik3bvz0h19j fl-col-bg-color fl-col-has-cols\" data-node=\"6ik3bvz0h19j\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-col-group fl-node-7tilh4d3s0ex fl-col-group-nested\" data-node=\"7tilh4d3s0ex\">\n<div class=\"fl-col fl-node-x86mc7wkasgz fl-col-bg-color\" data-node=\"x86mc7wkasgz\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-rich-text fl-node-6gyzi9lx5t1p resource-content\" data-node=\"6gyzi9lx5t1p\">\n<div class=\"fl-module-content fl-node-content\">\n<div class=\"fl-rich-text\"> <html readability=\"99.79796437659\"><body readability=\"199.59592875318\"><\/p>\n<figure class=\"wp-block-image size-large is-style-default\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Dns Zeroday Infostealer Detection by Efficientip | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive.webp?resize=640%2C335&ssl=1\" alt=\"Dns Zero day Infostealer Detection by Efficientip Deep Dive\" class=\"wp-image-78566\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"335\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-4.webp 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-5.webp 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive.jpg 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-1.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><\/figure>\n<h2 class=\"wp-block-heading\">How DNS Threat Intelligence Exposed a Zero-Day Infostealer: Deep Dive<\/h2>\n<p>The internet is rife with hidden threats that often go undetected until they strike \u2013 unless you know where to look. In a remarkable case of DNS Zero-Day Infostealer Detection, EfficientIP\u2019s DNS Threat Intelligence exposed and blocked a previously unknown infostealer that leverages DNS infrastructure for data exfiltration while evading traditional detection mechanisms, slipping past antivirus engines, IPS\/IDS and endpoint protections.<\/p>\n<p>At the time of <a href=\"https:\/\/efficientip.com\/blog\/zero-day-malware-first-detected-by-dns-threat-intelligence\/\">discovery <\/a>\u2014and up until the moment of writing these lines\u2014 it had not been flagged as malicious by any major threat feeds or VirusTotal entries. <a href=\"https:\/\/efficientip.com\/solutions\/360-dns-security-your-first-line-of-defense\/\">EfficientIP 360\u00b0 DNS Security<\/a> was the only solution to detect and block it.<\/p>\n<p>This blog offers a technical deep dive into the new Infostealer malware, now designated EIP-458-CryptoStealer, drawing on the cutting-edge research and analysis led by EfficientIP\u2019s security team. Read on to learn how the malware\u2019s payloads were delivered and controlled, the malicious capabilities embedded in the final executable, and how EfficientIP\u2019s <a href=\"https:\/\/efficientip.com\/products\/dns-threat-pulse\/\">DNS Threat Intelligence<\/a> detected DNS anomalies that uncovered the new infostealer malware and mitigated the threat.<\/p>\n<h3 class=\"wp-block-heading\"><strong>DNS Zero-Day Infostealer Detection Trigger: Anomalies in DNS Traffic<\/strong><\/h3>\n<p>The first indication of malicious activity came through EfficientIP\u2019s DNS Threat Intelligence platform, which flagged a surge in DNS TXT queries to the domain slimawriter[.]com. While <a href=\"https:\/\/efficientip.com\/glossary\/dns-txt-record\/\">DNS TXT records<\/a> are commonly used for legitimate purposes such as email authentication or software validation, the observed query pattern was excessive and anomalous.<\/p>\n<p>Crucially, the domain had no A or AAAA records, meaning it had no associated IP address. This suggested it was not hosting a traditional website or service. The fact it functioned purely through DNS was another strong indicator of abuse.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Blogcode 01 | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-1.webp?resize=640%2C468&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-78570\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"468\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-1.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-6.webp 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-2.jpg 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-3.jpg 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-4.jpg 1500w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><\/figure>\n<p>EfficientIP\u2019s analysts also noted that the DNS TXT responses contained base64-encoded data, with a structure resembling an obfuscated script which may be a payload split into fragments. Further investigation revealed the responses were the segments of a PowerShell-based stager. By reconstructing the fragments, analysts uncovered a script designed to initiate a broader attack chain. These responses can be seen in the raw DNS TXT lookup output below: multiple TXT records, each containing a fragment of base64-encoded data. Once reversed and decoded, these fragments reveal a full PowerShell script used to fetch and execute the main malware payload.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Blogcode 02 | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-2.webp?resize=422%2C1024&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-78571\" fetchpriority=\"high\" decoding=\"async\" width=\"422\" height=\"1024\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-2.webp 422w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-7.webp 124w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-5.jpg 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-6.jpg 633w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-7.jpg 844w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-8.jpg 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-9.jpg 1055w\" sizes=\"(max-width: 422px) 100vw, 422px\"><\/figure>\n<p>With the threat taking shape, we launched a deeper investigation into what became known as EIP-458-CryptoStealer.<\/p>\n<h3 class=\"wp-block-heading\"><strong>Command-and-Control Mechanics<\/strong><\/h3>\n<p>Once the PowerShell stager was decoded, its role in establishing command and control (C2) became clear. The script initiated outbound HTTPS connections to https:\/\/activatorcounter[.]com\/connect, a domain that, at the time of analysis, and, as of now, is not filtered by antivirus engines.<\/p>\n<p>Each connection returned a base64-encoded payload, which the stager decrypted in memory using AES CBC with hardcoded key and IV. This in-memory execution ensured that no files were written to disk, allowing the malware to evade endpoint threat detection tools and forensic analysis.<\/p>\n<p>The script below shows the logic used for decryption, communication with the C2 server, and in-memory execution of the retrieved instructions:<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Blogcode 03 | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-3.webp?resize=342%2C1024&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-78572\" fetchpriority=\"high\" decoding=\"async\" width=\"342\" height=\"1024\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-3.webp 342w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-8.webp 100w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-10.jpg 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-11.jpg 513w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-12.jpg 684w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-13.jpg 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/dns-threat-intelligence-exposed-an-infostealer-deep-dive-14.jpg 855w\" sizes=\"(max-width: 342px) 100vw, 342px\"><\/figure>\n<p>The decrypted instructions were executed silently using a hidden PowerShell process, enabling complete remote control of the infected host. This loop \u2013 fetching, decrypting, and executing new payloads \u2013 persisted until the attacker chose to uninstall the malware or was disrupted.<\/p>\n<p>As a result, EIP-458-CryptoStealer benefited from a highly effective and evasive control mechanism. While DNS traffic delivered the initial stager, the shift to HTTPS for payload delivery provided stealth and resilience.<\/p>\n<h3 class=\"wp-block-heading\"><strong>Main Payload Capabilities Targeted Microsoft and Cryptocurrency Activity<\/strong><\/h3>\n<p>The main payload, retrieved via encrypted HTTPS communication, was an approximately 1000-line PowerShell script designed to target Microsoft Windows systems. Engineered for stealth, persistence, and <a href=\"https:\/\/efficientip.com\/glossary\/what-is-data-exfiltration\/\" title=\"data exfiltration\">data exfiltration<\/a>, its capabilities went far beyond basic reconnaissance.<\/p>\n<p>The 2025 zero-day malware had a clear focus on identifying cryptocurrency-related activity, harvesting system metadata, clipboard contents, and browser extension data to support this objective.<\/p>\n<p>It monitored active application windows for specific keywords linked to crypto wallets and exchanges, such as Binance, MetaMask, and LedgerLive, triggering data capture when matches were found. Next, the CryptoStealer established communication with activatorcounter[.]com\/ping as a data exfiltration channel.<\/p>\n<p>EIP-458-CryptoStealer\u2019s design was heavily focused on evasion and persistence. Additional functions included checking antivirus status via WMI, dynamically downloading additional scripts, and cleaning up traces through self-uninstallation routines. Further, the entire payload ran in-memory, making it difficult to detect or analyze through traditional endpoint monitoring tools.<\/p>\n<h4 class=\"wp-block-heading\"><strong>IOC Summary and DNS Indicators<\/strong><\/h4>\n<p>EfficientIP analysts compiled a comprehensive set of indicators of compromise (IOCs) associated with EIP-458-CryptoStealer. Key elements included cryptographic hashes for both the stager and main payload:<\/p>\n<figure class=\"wp-block-table is-style-regular\">\n<table>\n<tbody readability=\"5\">\n<tr>\n<td>Description<\/td>\n<td>Type<\/td>\n<td>Value<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>Stager<\/td>\n<td>Hash<\/td>\n<td>Md5 : afd1c0d22c427d419da11b855a63605dSha1: 1ae9b3e0b4d8df0c045258d43521c5f89b8a7be8Sha256: e06d9924e8bb258480702d91a75bfda05f4ddf71869762e3bdfdd6f7f7554437<\/td>\n<\/tr>\n<tr>\n<td>Stager<\/td>\n<td>Domain<\/td>\n<td>slimawriter[.]com<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>Malware<\/td>\n<td>Hash<\/td>\n<td>Md5 : 6be0c02582a2d8da479f543dacf1691dSha1: 86675dedad33de575cf809a607ace11062f834a7Sha256: a7c268b33d953662c2208167d1c8393143707ded559c98b854d2f5c455209ceb<\/td>\n<\/tr>\n<tr>\n<td>Malware<\/td>\n<td>IP<\/td>\n<td>172.67.163.70<\/td>\n<\/tr>\n<tr>\n<td>Malware<\/td>\n<td>IP<\/td>\n<td>104.21.41.88<\/td>\n<\/tr>\n<tr>\n<td>Malware<\/td>\n<td>Domain<\/td>\n<td>activatorcounter[.]com<\/td>\n<\/tr>\n<tr>\n<td>Malware<\/td>\n<td>Mutex<\/td>\n<td>Global\\JKS825F<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Malware<\/td>\n<td>Mutex<\/td>\n<td>Global\\WSCriptsMonitorMutex<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Malware<\/td>\n<td>Mutex<\/td>\n<td>Global\\ClipboardMonitorMutex<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The malware\u2019s infrastructure relied on two previously undetected domains: slimawriter[.]com for initial delivery via DNS, and activatorcounter[.]com for command and control. Additional IOCs included two associated IP addresses and multiple mutex values such as Global\\ClipboardMonitorMutex.<\/p>\n<p>As discussed, its primary giveaway was its unique DNS behavior: high-volume DNS TXT queries, base64-encoded payload fragments, and the total absence of A\/AAAA records.<\/p>\n<p>This case underscores how these threats can remain active while effectively invisible to endpoint security tools, requiring DNS Threat Intelligence to initiate early threat investigation and containment successfully.<\/p>\n<h4 class=\"wp-block-heading\"><strong>Early Detection with DNS Threat Pulse (DTP) \u2013 A DNS-Centric Threat Intelligence Feed<\/strong><\/h4>\n<p>The early detection of EIP-458-CryptoStealer was enabled by <a href=\"https:\/\/efficientip.com\/products\/dns-threat-pulse\/\">DNS Threat Pulse (DTP)<\/a>, EfficientIP\u2019s AI-driven threat intelligence engine. DTP is generated from EfficientIP\u2019s DNS Threat Intelligence Fabric, which continuously analyzes more than 145 billion DNS queries per day. It leverages patented AI-driven algorithms to detect and categorize domains based on malicious behavior, from phishing and botnets to DGA-based zero-day malware.<\/p>\n<p>In this case of DNS zero-day Infostealer detection, anomalies in <a href=\"https:\/\/efficientip.com\/glossary\/dns-txt-record\/\">DNS TXT records <\/a>and DNS-only infrastructure were flagged and escalated through EfficientIP\u2019s real-time monitoring and analysis. This enabled EfficientIP to detect the infostealer before any antivirus or external feed registered the domains as malicious.<\/p>\n<p>DTP can be combined with <a href=\"https:\/\/efficientip.com\/products\/dns-guardian\/\">DNS Guardian<\/a>, allowing policy definition and enforcement based on domain, client identity, and threat category provided by DTP. This highly granular <a href=\"https:\/\/efficientip.com\/glossary\/what-is-dns-filtering\/\">DNS filtering<\/a> is delivered via <a href=\"https:\/\/efficientip.com\/products\/dns-client-query-filtering\/\">Client Query Filtering (CQF)<\/a> and provides real-time protection by blocking malicious domains. For an effective threat response, DNS Guardian also integrates seamlessly with SIEM, SOAR, and NAC platforms through open APIs, fueling rapid threat detection, threat investigation and remediation.<\/p>\n<h3 class=\"wp-block-heading\"><strong>Defense Playbook: What to do Next<\/strong><\/h3>\n<p>For organizations using EfficientIP, after the discovery of EIP-458-CryptoStealer, the next step is to check that their DTP is turned on and up to date, and to make sure their CQF is activated and defined to block malware. As long as CQF is activated and receiving updates, no further manual monitoring is required to stay safe. <\/p>\n<p>For those without DNS-layer controls, the best move is to immediately add firewall entries to block communication with the stager and malware. You should also manually block the payload signatures in your firewall, endpoint protection, or IPS\/IDS solution. For more details, please check our <a href=\"https:\/\/efficientip.com\/blog\/zero-day-malware-first-detected-by-dns-threat-intelligence\/\">previous blog<\/a>. <\/p>\n<p>EIP-458-CryptoStealer should also prompt organizations to reevaluate reliance on traditional security tools such as firewalls, endpoints, anti-viruses, or IPS\/IDS alone. DNS-layer visibility offers earlier threat detection and faster threat investigation and containment, critical in defending against stealthy zero-day malware designed to evade other tools. Implementing DNS-centric security controls as the first line of defense is essential today to strengthen protection against stealthy threats such as this 2025 zero-day malware.<\/p>\n<h4 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h4>\n<p>This discovery reinforces the fact that DNS is no longer just the plumbing of your network \u2013 <a href=\"https:\/\/efficientip.com\/solutions\/360-dns-security-your-first-line-of-defense\/\">DNS security<\/a> also serves as a front-line defensive layer. While traditional tools failed to identify the new Infostealer malware, EfficientIP\u2019s<a href=\"https:\/\/efficientip.com\/products\/dns-threat-pulse\/\"> DNS Threat Intelligence<\/a> exposed the threat early, before significant damage could occur.<\/p>\n<p>By leveraging AI-powered threat feeds such as EfficientIP\u2019s DNS Threat Pulse, implementing our <a href=\"https:\/\/efficientip.com\/solutions\/360-dns-security-your-first-line-of-defense\/\">360\u00b0 DNS Security solution<\/a>, and enforcing granular policies at the DNS layer, organizations can gain a strategic edge against zero-day malware and proactively protect users, data, and infrastructures.<\/p>\n<p><\/body><br \/>\n<\/html><\/div>\n<\/p><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<div class=\"fl-col-group fl-node-8oqvc36nk4wz fl-col-group-nested\" data-node=\"8oqvc36nk4wz\">\n<div class=\"fl-col fl-node-zfgsxvydn1tu fl-col-bg-photo\" data-node=\"zfgsxvydn1tu\">\n<div class=\"fl-col-content fl-node-content\" readability=\"28.226315789474\">\n<div class=\"fl-module fl-module-heading fl-node-iudprhnsx4c3\" data-node=\"iudprhnsx4c3\" readability=\"7\">\n<p><h3 class=\"fl-heading\"> <span class=\"fl-heading-text\"> Unsure of Your Next Step? Our Experts Can Help <\/span> <\/h3>\n<\/p>\n<\/div>\n<div class=\"fl-module fl-module-rich-text fl-node-zjyf4i1pa2sr\" data-node=\"zjyf4i1pa2sr\">\n<div class=\"fl-module-content fl-node-content\" readability=\"31.5\">\n<div class=\"fl-rich-text\" readability=\"33\">\n<p>Speak with a DNS Security Expert to understand how to detect and block zero-day threats before they impact your organization.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/div><\/div>\n<\/div>\n<\/div><\/div>\n<div class=\"fl-col-group fl-node-q0luxfnc68h4\" data-node=\"q0luxfnc68h4\">\n<div class=\"fl-col fl-node-58pt2he0o7nw fl-col-bg-color\" data-node=\"58pt2he0o7nw\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-bw-related-posts fl-node-qjvi3gu1mc6t\" data-node=\"qjvi3gu1mc6t\">\n<div class=\"fl-module-content fl-node-content\" readability=\"11.00651465798\">\n<div class=\"related-posts\" readability=\"2.485342019544\">  <\/p>\n<h2 class=\"related-posts__title\"> Latest Blog Posts <\/h2>\n<p class=\"related-posts__description\"> Explore content highlighting the value EfficientIP solutions bring to your network <\/p>\n<p>  <\/div>\n<\/p><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<\/div><\/div>\n<p><\/p>\n<footer class=\"fl-builder-content fl-builder-content-651 fl-builder-global-templates-locked\" data-post-id=\"651\" data-type=\"footer\" itemscope=\"itemscope\" itemtype=\"http:\/\/schema.org\/WPFooter\">\n<div class=\"fl-row fl-row-full-width fl-row-bg-color fl-node-8r0kfap1bu5m fl-row-default-height fl-row-align-center\" data-node=\"8r0kfap1bu5m\">\n<div class=\"fl-row-content-wrap\">\n<div class=\"fl-row-content fl-row-fixed-width fl-node-content\">\n<div class=\"fl-col-group fl-node-tb9w0znxom2s fl-col-group-equal-height fl-col-group-align-center fl-col-group-custom-width\" data-node=\"tb9w0znxom2s\">\n<div class=\"fl-col fl-node-kbfdxo6msgna fl-col-bg-color fl-col-small fl-col-small-custom-width\" data-node=\"kbfdxo6msgna\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-rich-text fl-node-so3qg2du7cjl\" data-node=\"so3qg2du7cjl\">\n<div class=\"fl-module-content fl-node-content\">\n<div class=\"fl-rich-text\">\n<p>\u00a9 2025 EfficientIP<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<\/footer>\n<p> <br \/>\n <noscript><\/noscript><br \/>\n <\/body> <a href=\"https:\/\/efficientip.com\/blog\/dns-threat-intelligence-exposed-an-infostealer-deep-dive\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DNS Threat Intelligence Exposed an Infostealer: Deep Dive | EfficientIP<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2158,1103,30,62,2123,897,1027,3480],"tags":[2159,1106,38,69,2127,904,1029,3481],"class_list":["post-7676","post","type-post","status-publish","format-standard","hentry","category-data-exfiltration","category-ddi-solutions","category-dns","category-dns-security","category-dns-threat-intelligence","category-enterprise-network-security","category-threat-detection","category-threat-investigation","tag-data-exfiltration","tag-ddi-solutions","tag-dns","tag-dns-security","tag-dns-threat-intelligence","tag-enterprise-network-security","tag-threat-detection","tag-threat-investigation"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Efficient IP","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/efficient-ip\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-exfiltration\/\" rel=\"category tag\">Data Exfiltration<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ddi-solutions\/\" rel=\"category tag\">DDI solutions<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns\/\" rel=\"category tag\">DNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns-security\/\" rel=\"category tag\">DNS Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns-threat-intelligence\/\" rel=\"category tag\">DNS Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/enterprise-network-security\/\" rel=\"category tag\">enterprise network security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-detection\/\" rel=\"category tag\">threat detection<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-investigation\/\" rel=\"category tag\">Threat Investigation<\/a>","tag_info":"Threat Investigation","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7676"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7676\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7676,"date":"2025-05-26T06:41:18","date_gmt":"2025-05-26T11:41:18","guid":{"rendered":"https:\/\/efficientip.com\/?p=78564"},"modified":"2025-05-26T06:41:18","modified_gmt":"2025-05-26T11:41:18","slug":"dns-threat-intelligence-exposed-an-infostealer-deep-dive","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/05\/26\/dns-threat-intelligence-exposed-an-infostealer-deep-dive\/","title":{"rendered":"DNS Threat Intelligence Exposed an Infostealer: Deep Dive"},"content":{"rendered":"