AI-Driven DGA Detection Uncovers a Dormant Infostealer | EfficientIP<\/title>  <meta name=\"description\" content=\"Discover how AI-Driven DGA Detection with Tuple Clustering reveals hidden malware domains early, reducing false positives and boosting protection.\"> <meta name=\"robots\" content=\"max-snippet:-1, max-image-preview:large, max-video-preview:-1\"> <meta name=\"author\" content=\"Christophe Girard\"> <meta name=\"google-site-verification\" content=\"google-site-verification=H0c1O7ZE7N1TjIz_JSYJiR3coR6om020-rZnV-Elrvo\"> <meta name=\"keywords\" content=\"data exfiltration,dga,dns,dns security,dns threat intelligence,enterprise network security,threat detection,threat investigation\"> <link rel=\"canonical\" href=\"https:\/\/efficientip.com\/blog\/ai-driven-dga-detection-uncovers-a-dormant-infostealer\/\"> <meta name=\"generator\" content=\"All in One SEO Pro (AIOSEO) 4.8.7.2\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:site_name\" content=\"EfficientIP\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"AI-Driven DGA Detection Uncovers a Dormant Infostealer | EfficientIP\"> <meta property=\"og:description\" content=\"Discover how AI-Driven DGA Detection with Tuple Clustering reveals hidden malware domains early, reducing false positives and boosting protection.\"> <meta property=\"og:url\" content=\"https:\/\/efficientip.com\/blog\/ai-driven-dga-detection-uncovers-a-dormant-infostealer\/\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-12.webp\"> <meta property=\"og:image:secure_url\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-12.webp\"> <meta property=\"og:image:width\" content=\"1200\"> <meta property=\"og:image:height\" content=\"628\"> <meta property=\"article:tag\" content=\"data exfiltration\"> <meta property=\"article:tag\" content=\"dga\"> <meta property=\"article:tag\" content=\"dns\"> <meta property=\"article:tag\" content=\"dns security\"> <meta property=\"article:tag\" content=\"dns threat intelligence\"> <meta property=\"article:tag\" content=\"enterprise network security\"> <meta property=\"article:tag\" content=\"threat detection\"> <meta property=\"article:tag\" content=\"threat investigation\"> <meta property=\"article:published_time\" content=\"2025-10-09T05:27:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-08T15:29:12+00:00\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/EfficientIP\/\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:site\" content=\"@efficientip\"> <meta name=\"twitter:title\" content=\"AI-Driven DGA Detection Uncovers a Dormant Infostealer | EfficientIP\"> <meta name=\"twitter:description\" content=\"Discover how AI-Driven DGA Detection with Tuple Clustering reveals hidden malware domains early, reducing false positives and boosting protection.\"> <meta name=\"twitter:creator\" content=\"@efficientip\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-12.webp\"> <meta name=\"twitter:label1\" content=\"Written by\"> <meta name=\"twitter:data1\" content=\"Christophe Girard\"> <meta name=\"twitter:label2\" content=\"Est. reading time\"> <meta name=\"twitter:data2\" content=\"8 minutes\">   <link rel=\"dns-prefetch\" href=\"\/\/browser.sentry-cdn.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.fontawesome.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/pro.fontawesome.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/fonts.googleapis.com\">\n<link href=\"https:\/\/fonts.gstatic.com\" crossorigin rel=\"preconnect\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"EfficientIP \u00bb Feed\" href=\"https:\/\/efficientip.com\/feed\/\">\n<link data-minify=\"1\" rel=\"stylesheet\" id=\"fontawesome-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/releases\/v5.5.0\/css\/all.css?ver=1759734935\" type=\"text\/css\" media=\"all\">\n<link data-minify=\"1\" rel=\"stylesheet\" id=\"fonts-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-content\/themes\/beaverwarrior\/assets\/fonts\/fonts.css?ver=1759734935\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"wp-block-library-css\" href=\"https:\/\/efficientip.com\/wp-includes\/css\/dist\/block-library\/style.min.css?ver=6.8.3\" type=\"text\/css\" media=\"all\"> <link data-minify=\"1\" rel=\"stylesheet\" id=\"font-awesome-5-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/releases\/v5.15.4\/css\/all.css?ver=1759734935\" type=\"text\/css\" media=\"all\">\n<link data-minify=\"1\" rel=\"stylesheet\" id=\"dashicons-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-includes\/css\/dashicons.min.css?ver=1759734935\" type=\"text\/css\" media=\"all\"> <link data-minify=\"1\" rel=\"stylesheet\" id=\"bootstrap-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-content\/themes\/bb-theme\/css\/bootstrap.min.css?ver=1759734935\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"space-station-main-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/background-css\/1\/efficientip.com\/wp-content\/uploads\/beaverwarrior\/skin-68d517cfe9ad1.css?wpr_t=1759973338\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"slick-slider-css\" href=\"https:\/\/efficientip.com\/wp-content\/themes\/beaverwarrior\/assets\/vendor\/slick\/slick\/slick.css\" type=\"text\/css\" media=\"all\">\n<link data-minify=\"1\" rel=\"stylesheet\" id=\"tablepress-default-css\" href=\"https:\/\/efficientip.com\/wp-content\/cache\/min\/1\/wp-content\/plugins\/tablepress\/css\/build\/default.css?ver=1759734935\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"fl-builder-google-fonts-123a601186055288986484015a249e40-css\" href=\"\/\/fonts.googleapis.com\/css?family=Poppins%3A600&ver=6.8.3\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/efficientip.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/efficientip.com\/wp-json\/wp\/v2\/posts\/79001\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/efficientip.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/efficientip.com\/?p=79001\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/efficientip.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fefficientip.com%2Fblog%2Fai-driven-dga-detection-uncovers-a-dormant-infostealer%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/efficientip.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fefficientip.com%2Fblog%2Fai-driven-dga-detection-uncovers-a-dormant-infostealer%2F&format=xml\">\n<noscript><\/noscript><br \/>\n<br \/>\n <link rel=\"icon\" href=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-32x32.png\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-192x192.png\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-180x180.png\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/efficientip.com\/wp-content\/uploads\/2022\/07\/cropped-Efficient-IP-Favicon-1-270x270.png\"> <noscript><\/noscript> <noscript> <\/noscript><br \/>\n<meta name=\"generator\" content=\"WP Rocket 3.19.4\" data-wpr-features=\"wpr_lazyload_css_bg_img wpr_delay_js wpr_defer_js wpr_minify_js wpr_lazyload_images wpr_image_dimensions wpr_minify_css wpr_preload_links wpr_desktop\"><\/head><body class=\"wp-singular post-template-default single single-post postid-79001 single-format-standard wp-embed-responsive wp-theme-bb-theme wp-child-theme-beaverwarrior fl-builder-2-9-4 fl-themer-1-5-2 fl-theme-1-7-16 fl-no-js fl-theme-builder-footer fl-theme-builder-footer-footer fl-theme-builder-singular fl-theme-builder-singular-blog-inner fl-theme-builder-header fl-theme-builder-header-header-for-white-bg fl-framework-bootstrap fl-preset-default fl-full-width fl-has-sidebar fl-search-active has-blocks\" itemscope=\"itemscope\" itemtype=\"http:\/\/schema.org\/WebPage\" data-offcanvas-hover-min data-utmpreserve-preserve data-utmpreserve-forminject id=\"readabilityBody\"> <a aria-label=\"Skip to content\" class=\"fl-screen-reader-text\" href=\"https:\/\/efficientip.com\/blog\/ai-driven-dga-detection-uncovers-a-dormant-infostealer\/#fl-main-content\">Skip to content<\/a> <\/p>\n<div class=\"fl-page-content\" itemprop=\"mainContentOfPage\">\n<div class=\"fl-builder-content fl-builder-content-1797 fl-builder-global-templates-locked\" data-post-id=\"1797\">\n<div class=\"fl-row fl-row-full-width fl-row-bg-none fl-node-b1k2ce8oat94 fl-row-default-height fl-row-align-center\" data-node=\"b1k2ce8oat94\">\n<div class=\"fl-row-content-wrap\">\n<div class=\"fl-row-content fl-row-fixed-width fl-node-content\">\n<div class=\"fl-col-group fl-node-n03jagzvc2tl\" data-node=\"n03jagzvc2tl\">\n<div class=\"fl-col fl-node-89er0fmqv3bj fl-col-bg-color\" data-node=\"89er0fmqv3bj\">\n<div class=\"fl-col-content fl-node-content\" readability=\"33.21826625387\">\n<div class=\"fl-module fl-module-heading fl-node-1f0jhtmx592z\" data-node=\"1f0jhtmx592z\" readability=\"12\">\n<p><h2 class=\"fl-heading\"> <span class=\"fl-heading-text\">EfficientIP\u2019s AI-Driven DGA detection uncovered systematic domain clusters and dormant infrastructure later tied to an Infostealer, enabling proactive protection, early detection, and efficient response.<br \/>\n<\/span> <\/h2>\n<\/p>\n<\/div>\n<div class=\"fl-module fl-module-rich-text fl-node-thaiqw8z9u56\" data-node=\"thaiqw8z9u56\">\n<div class=\"fl-module-content fl-node-content\" readability=\"25.403225806452\">\n<div class=\"fl-rich-text\" readability=\"26.612903225806\">\n<p>October 9, 2025 <span class=\"separator\">|<\/span> Written by: Christophe Girard <span class=\"separator\">|<\/span> <a href=\"https:\/\/efficientip.com\/blog\/category\/dns-security\/\" rel=\"tag\" class=\"dns-security\">DNS Security<\/a><\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"fl-row fl-row-full-width fl-row-bg-none fl-node-3wko4tveyu8f fl-row-default-height fl-row-align-center\" data-node=\"3wko4tveyu8f\">\n<div class=\"fl-row-content-wrap\">\n<div class=\"fl-row-content fl-row-fixed-width fl-node-content\">\n<div class=\"fl-col-group fl-node-ql4karf5bwmy\" data-node=\"ql4karf5bwmy\">\n<div class=\"fl-col fl-node-j7nz3ua9yrme fl-col-bg-color fl-col-small\" data-node=\"j7nz3ua9yrme\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-rich-text fl-node-t7brk9mjsiu4\" data-node=\"t7brk9mjsiu4\" readability=\"32\">\n<div class=\"fl-module-content fl-node-content\" readability=\"34\">\n<p><h3>Get the latest news, invites to events, and much more<\/h3>\n<\/p><\/div>\n<\/div><\/div>\n<\/div>\n<div class=\"fl-col fl-node-6ik3bvz0h19j fl-col-bg-color fl-col-has-cols\" data-node=\"6ik3bvz0h19j\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-col-group fl-node-7tilh4d3s0ex fl-col-group-nested\" data-node=\"7tilh4d3s0ex\">\n<div class=\"fl-col fl-node-x86mc7wkasgz fl-col-bg-color\" data-node=\"x86mc7wkasgz\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-rich-text fl-node-6gyzi9lx5t1p resource-content\" data-node=\"6gyzi9lx5t1p\">\n<div class=\"fl-module-content fl-node-content\">\n<div class=\"fl-rich-text\"> <html readability=\"100.69540078844\"><body readability=\"201.39080157687\"><\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Blogdns Security Detects Zeroday Malwaredgasocial | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer.webp?resize=640%2C335&ssl=1\" alt=\"Ai driven Dga Detection Uncovers a Dormant Infostealer\" class=\"wp-image-79002\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"335\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-9.webp 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-10.webp 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-11.webp 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-12.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><\/figure>\n<p>By applying patented AI-Driven DGA Detection with Tuple Clustering, entire clusters of domains related to the ViperSoftX variants were identified by EfficientIP\u2019s DNS Security years before they became active. This uncovered the systematic use of domain generation algorithms to sustain command-and-control operations, providing early visibility into one of today\u2019s most persistent infostealer families. The findings confirm how DNS-centric Threat Intelligence delivers protection where traditional security tools fall short, ensuring organizations can stop cyber threats before they strike.<\/p>\n<h2 class=\"wp-block-heading\"><strong>AI-Driven DGA Detection Reveals Infostealer Before It Struck<\/strong><\/h2>\n<p>In our previous blogs, we detailed how EfficientIP\u2019s DNS Threat Intelligence <a href=\"https:\/\/efficientip.com\/blog\/dns-threat-intelligence-exposed-an-infostealer-deep-dive\/\">first detected<\/a> the EIP-458 Infostealer, exposed its stealth tactics, and later confirmed its correlation to the notorious ViperSoftX malware family. Those findings showed how DNS Security solutions can reveal what traditional defenses miss. But the story goes further: by identifying the domain generation algorithms (DGAs) driving this campaign, EfficientIP researchers uncovered entire clusters of dormant domains long before they became active. This early visibility meant the infostealer could be detected and contained before launching its malicious activity at scale.<\/p>\n<h2 class=\"wp-block-heading\"><strong>What Are DGAs?<\/strong><\/h2>\n<p>A Domain Generation Algorithm (DGA) is a technique attackers use to automatically create large numbers of domain names. Malware relies on these domains to conduct its malicious activity: contact its command-and-control servers, send stolen data, or receive instructions. One of the key uses of DGAs is enabling data exfiltration, where stolen information is quietly transferred out through rotating domains. By frequently switching domains, attackers evade detection and keep their operations alive. From early cyber threats like <a href=\"https:\/\/attack.mitre.org\/software\/S0608\/\">Conficker <\/a>to modern ones like <a href=\"https:\/\/attack.mitre.org\/software\/S0600\/\">Doki<\/a>, DGAs show how threat actors evolve to bypass defenses. This is why AI-Driven DGA Detection is critical for stopping them before activation.<\/p>\n<p>Most security tools try to spot DGAs by the domain name itself\u2014its characters and structure (odd mixes, uncommon words, statistical \u201centropy\u201d), sometimes with ML. Attackers now craft names that resemble normal domain names, so this method often misses threats and triggers false alarms.<\/p>\n<p>EfficientIP\u2019s AI-driven DNS security, powered by <a href=\"https:\/\/www.brighttalk.com\/webcast\/18213\/629084\">patented Tuple Clustering<\/a> threat detection, focuses on behavior\u2014not just domain names. It tracks who is querying which domains and when, bundling these signals into simple \u201ctuples.\u201d Clustering those tuples reveals groups that move together like a DGA family, even if some data is missing. The result is earlier detection of active and dormant DGAs with fewer false positives.<\/p>\n<h2 class=\"wp-block-heading\"><strong>How the Infostealer Used DGAs to Build Resilient Domain Clusters<\/strong><\/h2>\n<p>In researching the infostealer variants covered in our previous blogs, EfficientIP\u2019s researchers found clear signs of domain generation algorithms within DNS Threat Intelligence. One of the most notable patterns was the creation of systematic domain clusters. Instead of relying on a single command-and-control server, threat actors built families of domains following strict prefix, suffix, and TLD rules. Examples include names like slimawriter.com, slimardb.xyz, and slimashlow.com, all sharing the same structured pattern.A closer look revealed that all domains in the Slima cluster began with the prefix slima, followed by descriptors such as db, shlow, tfdsc, virtualb, or writer, and ended with either .com or .xyz. Among them, slimawriter.com stood out, as it was the only registered domain and operated as the active C2 server. Queries to this domain were significantly more frequent than to its peers, which remained dormant or unregistered but available as reserves to be activated if needed.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealerfamilies | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-1.webp?resize=640%2C640&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79003\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"640\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-1.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-1.png 150w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-2.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-3.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-13.webp 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-4.png 480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer Families<\/figcaption><\/figure>\n<p>Extending the same AI-Driven DNS security analysis across DNS traffic uncovered additional clusters with different prefixes, including yeild, activato, freed, and quasar. <\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealertlds | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-2.webp?resize=640%2C640&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79004\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"640\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-2.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-5.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-6.png 150w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-7.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-8.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-14.webp 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-9.png 480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer TLDs<\/figcaption><\/figure>\n<p>Together, these naming rules \u2014 five prefixes, five suffixes, and two TLDs \u2014 formed a systematic framework capable of producing hundreds of domains. This structure gives threat actors a scalable pool of interchangeable infrastructure, ensuring that when one domain is blocked or seized, others can immediately replace it.<\/p>\n<p><img src=\"blob:https:\/\/efficientip.com\/6715ed34-6186-4159-ab2e-695ed38d8c86\" width=\"281.0983981693365\" height=\"152.26293103448276\" fetchpriority=\"high\" decoding=\"async\" alt=\"Image de l\u2019article\"><\/p>\n<p><noscript><img src=\"blob:https:\/\/efficientip.com\/6715ed34-6186-4159-ab2e-695ed38d8c86\" width=\"281.0983981693365\" height=\"152.26293103448276\" fetchpriority=\"high\" decoding=\"async\" alt=\"Image de l\u2019article\"><\/noscript> <\/p>\n<p>This design illustrates how the campaign achieved resilience through redundancy. By rotating through structured clusters of domains, attackers ensured continuity and persistence, allowing them to operate undisturbed and conduct data exfiltration while making takedown efforts far more complex.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Domain Generation Algorithms Enabled Persistence<\/strong><\/h2>\n<p>What enabled these structured clusters to exist at scale was the use of domain generation algorithms (DGAs). Instead of manually registering domains, the 2025 Zero-Day malware relied on a PowerShell routine that automatically produced hundreds of variations by combining prefixes, suffixes, and TLDs. This automation gave threat actors a renewable infrastructure: when one domain was blocked, new ones could instantly take its place.<\/p>\n<p>A <strong>trimmed excerpt<\/strong> of the routine is shown below (non-executable, with some lines intentionally removed for safety):<\/p>\n<p># Simplified DGA domain generation (trimmed for safety)<br \/>$domains = @(\u201ccom\u201d,\u201dxyz\u201d)<br \/>$prefixes = @(\u201cactivato\u201d,\u201dslima\u201d,\u201dyeild\u201d,\u201dquasa\u201d,\u201dfreed\u201d)<br \/>$suffixes = @(\u201crdb\u201d,\u201dwriter\u201d,\u201dshlow\u201d,\u201dtfdsc\u201d,\u201dvirtualb\u201d)<\/p>\n<p>foreach ($tld <strong>in<\/strong> $domains) {<br \/> foreach ($pre <strong>in<\/strong> $prefixes) {<br \/> foreach ($suf <strong>in<\/strong> $suffixes) {<br \/> $fqdn = \u201c$pre$suf.$tld\u201d<br \/> $res = Query-DnsUpdates -targetDomain $fqdn # fetch TXT records<br \/> # Payload processing logic removed for safety<br \/> }<br \/> }<br \/>}<\/p>\n<p>This algorithm generated domains such as slimawriter[.]com, freedrdb[.]xyz, or activatoshlow[.]com. The malware then queried their TXT records to retrieve encoded payload fragments. With this method, attackers could rotate in dormant or unregistered domains the moment active ones were blocked, ensuring continuity.<\/p>\n<p>EfficientIP designated this DGA family as EIP-455-EconoMimics. Using its AI-driven Security based on <strong>innovative Tuple Clustering technology<\/strong>, the clusters were detected by EfficientIP\u2019s DNS Security before they became operational. The algorithm worked by analyzing anomalies in DNS behavior and correlating them with graph theory and unsupervised machine learning. Unlike syntax-only methods, <strong>AI-Driven DGA Detection<\/strong> exposed both active C2s and dormant domains. This gave defenders predictive visibility into attacker infrastructure. <\/p>\n<p>The DNS Threat Intelligence graph below shows client activity associated with EIP-455 from May to September 2025. Peaks in predictable DGA client counts reveal when the malware attempted to query generated domains, while sharp drops reflect blocks or inactivity. This timeline illustrates how AI-Driven DNS Security continuously tracks attacker behavior.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealereconomicsmatches | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-3.webp?resize=640%2C346&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79005\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"346\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-3.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-10.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-11.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-12.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-15.webp 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-13.png 480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer Economics Matches<\/figcaption><\/figure>\n<p>The EIP-455-EconoMimics family was then added to EfficientIP\u2019s <a href=\"https:\/\/efficientip.com\/products\/dns-threat-pulse\/\">DNS Threat Intelligence feed<\/a>, protecting our customers even while the 2025 Zero-Day malware was still dormant. This detection is clearly illustrated in EfficientIP\u2019s DNS Intelligence Center (DNS IC) dashboard. The screenshot below shows systematic clusters such as slima, activato, freed, quasar, and yeild, all tagged under EIP-455 ID. Most domains still returned NXDOMAIN, highlighting how the DNS Security AI-Driven DGA Detection exposed dormant infrastructure long before it became operational \u2014 enabling proactive protection.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealereip455economimicsmatches | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-4.webp?resize=640%2C286&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79006\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"286\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-4.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-14.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-15.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-16.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-17.png 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-16.webp 1903w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer-EIP-455-EconoMimics-Matches<\/figcaption><\/figure>\n<p>DGAs give the campaign long-term persistence and make takedown efforts far more difficult, since defenders cannot simply neutralize a handful of domains. By focusing on behavioral DNS signals, EfficientIP\u2019s AI-Driven DGA Detection with Tuple Clustering revealed not only the active C2s but also dormant and unregistered domains. This enabled EfficientIP DNS Security Solution to identify attacker infrastructure early and protect customers by disrupting campaigns before they became operational.<\/p>\n<h2 class=\"wp-block-heading\"><strong>AI-Driven DGA Detection Also Protected Against the ViperSoftX Variant<\/strong><\/h2>\n<p>In our previous blog, we detailed how EfficientIP\u2019s <a href=\"https:\/\/efficientip.com\/products\/dns-intelligence-center\/\">DNS Threat Intelligence<\/a> exposed the link between the infostealer variants and the notorious ViperSoftX family. That AI-Driven security analysis confirmed attribution through cryptographic reuse and overlapping infrastructure. But the research also revealed that the ViperSoftX malware is using the PwrSh:CryptoStealer-C DGA. <strong>AI-Driven DGA Detection<\/strong> had identified the PwrSh:CryptoStealer-C malicious activity in our DNS Threat Intelligence as far back as June 2022.The first finding came from observing that domains seen in recent infostealer activity were consistent with historical ViperSoftX infrastructure. These domains followed systematic naming rules, combining predictable prefixes such as wmail, fairu, bideo, privatproxy, and ahoravideo with suffixes like endpoint, blog, chat, cdn, and schnellvpn, across both .com and .xyz. The screenshot below shows the threat matches in EfficientIP\u2019s DNS Threat Intelligence dashboard between May and September 2025, where these recurring domain patterns were identified. <\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealerpwrshcryptostealercmatches | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-5.webp?resize=640%2C293&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79007\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"293\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-5.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-18.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-19.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-20.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-21.png 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-17.webp 1903w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer-PwrSh:CryptoStealer-C-Matches<\/figcaption><\/figure>\n<p>Tracking back the malicious activity with AI-Driven DNS security revealed an even deeper history. Monitoring command-and-control (C&C) traffic showed that the DGA family has been active since June 2022. This demonstrated that EfficientIP\u2019s AI-Driven DGA Detection had been flagging ViperSoftX-related infrastructure long before the most recent infostealer variants came to light.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealerpweshmatches4yrs | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-6.webp?resize=640%2C250&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79008\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"250\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-6.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-22.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-23.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-24.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-18.webp 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-25.png 480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer-PweSh Matches<\/figcaption><\/figure>\n<p>Looking further back across the full four-year monitoring window revealed the true scale of the campaign. Thousands of related domains tied to ViperSoftX and its variants were generated during that period, many of which were detected and flagged by EfficientIP\u2019s DNS Security before activation. This long-term visibility confirmed that the operators relied on systematic, large-scale domain generation to maintain persistence and ensure their infrastructure could survive takedowns.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealerpwrshcryptostealerccnc+domains4yrs | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-7.webp?resize=640%2C193&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79009\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"193\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-7.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-26.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-27.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-28.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-29.png 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-19.webp 1909w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer-PwrSh CryptoStealer-C-CNC<\/figcaption><\/figure>\n<p>Recent monitoring of dns traffic confirms that the PwrSh:CryptoStealer-C DGA family is far from inactive. Between May and September 2025, EfficientIP\u2019s DNS Security solution identified a steady stream of domain-generation activity, clearly visible as a continuous line of threat detections. This demonstrates that ViperSoftX and its variants remain highly active over time.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" fetchpriority=\"high\" title=\"Bp245infostealerpweshmatches | Efficientip\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-8.webp?resize=640%2C379&ssl=1\" alt=\"Image De Larticle\" class=\"wp-image-79010\" fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"379\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-8.webp 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-30.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-31.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-32.png 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-20.webp 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/ai-driven-dga-detection-uncovers-a-dormant-infostealer-33.png 480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption class=\"wp-element-caption\">Infostealer-PweSh Matches<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\"><strong>Key Takeaways<\/strong><\/h2>\n<p>From uncovering stealthy infostealer variants to detecting the long-term domain-generation activity behind ViperSoftX and its variants, this AI-Driven security research shows how attackers are building resilient infrastructures designed to evade takedowns. By leveraging patented AI-Driven DGA Detection with Tuple Clustering, <a href=\"https:\/\/efficientip.com\/solutions\/360-dns-security-your-first-line-of-defense\/\">EfficientIP\u2019s 360\u00b0 DNS Security solution<\/a> identified these cyber threats years before they became fully active\u2014revealing systematic domain clusters, tracking C&C activity, and confirming the evolution of one of today\u2019s most dangerous infostealer families. This early threat detection ensures organizations remain protected against campaigns that traditional security tools fail to detect.<\/p>\n<p><\/body><br \/>\n<\/html><\/div>\n<\/p><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<div class=\"fl-col-group fl-node-8oqvc36nk4wz fl-col-group-nested\" data-node=\"8oqvc36nk4wz\">\n<div class=\"fl-col fl-node-zfgsxvydn1tu fl-col-bg-photo\" data-node=\"zfgsxvydn1tu\">\n<div class=\"fl-col-content fl-node-content\" readability=\"27.665338645418\">\n<div class=\"fl-module fl-module-heading fl-node-iudprhnsx4c3\" data-node=\"iudprhnsx4c3\" readability=\"7\">\n<p><h3 class=\"fl-heading\"> <span class=\"fl-heading-text\"> Strengthen your Network Protection: Check if DGAs are active in Your DNS <\/span> <\/h3>\n<\/p>\n<\/div>\n<div class=\"fl-module fl-module-rich-text fl-node-zjyf4i1pa2sr\" data-node=\"zjyf4i1pa2sr\">\n<div class=\"fl-module-content fl-node-content\" readability=\"31.5\">\n<div class=\"fl-rich-text\" readability=\"33\">\n<p>Run a free DNS Risk Assessment to see if DGAs are operating in your network \u2014 and detect threats like ViperSoftX variants before they become active.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/div><\/div>\n<\/div>\n<\/div><\/div>\n<div class=\"fl-col-group fl-node-q0luxfnc68h4\" data-node=\"q0luxfnc68h4\">\n<div class=\"fl-col fl-node-58pt2he0o7nw fl-col-bg-color\" data-node=\"58pt2he0o7nw\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-bw-related-posts fl-node-qjvi3gu1mc6t\" data-node=\"qjvi3gu1mc6t\">\n<div class=\"fl-module-content fl-node-content\" readability=\"10.116766467066\">\n<div class=\"related-posts\" readability=\"2.2844311377246\">  <\/p>\n<h2 class=\"related-posts__title\"> Latest Blog Posts <\/h2>\n<p class=\"related-posts__description\"> Explore content highlighting the value EfficientIP solutions bring to your network <\/p>\n<p>  <\/div>\n<\/p><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<\/div><\/div>\n<p><\/p>\n<footer class=\"fl-builder-content fl-builder-content-651 fl-builder-global-templates-locked\" data-post-id=\"651\" data-type=\"footer\" itemscope=\"itemscope\" itemtype=\"http:\/\/schema.org\/WPFooter\">\n<div class=\"fl-row fl-row-full-width fl-row-bg-color fl-node-8r0kfap1bu5m fl-row-default-height fl-row-align-center\" data-node=\"8r0kfap1bu5m\">\n<div class=\"fl-row-content-wrap\">\n<div class=\"fl-row-content fl-row-fixed-width fl-node-content\">\n<div class=\"fl-col-group fl-node-tb9w0znxom2s fl-col-group-equal-height fl-col-group-align-center fl-col-group-custom-width\" data-node=\"tb9w0znxom2s\">\n<div class=\"fl-col fl-node-kbfdxo6msgna fl-col-bg-color fl-col-small fl-col-small-custom-width\" data-node=\"kbfdxo6msgna\">\n<div class=\"fl-col-content fl-node-content\">\n<div class=\"fl-module fl-module-rich-text fl-node-so3qg2du7cjl\" data-node=\"so3qg2du7cjl\">\n<div class=\"fl-module-content fl-node-content\">\n<div class=\"fl-rich-text\">\n<p>\u00a9 2025 EfficientIP<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<\/footer>\n<p> <br \/>\n <noscript><\/noscript><br \/>\n <\/body> <a href=\"https:\/\/efficientip.com\/blog\/ai-driven-dga-detection-uncovers-a-dormant-infostealer\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AI-Driven DGA Detection Uncovers a Dormant Infostealer | EfficientIP Skip<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2158,495,30,62,2123,897,1027,3480],"tags":[2159,502,38,69,2127,904,1029,3481],"class_list":["post-8067","post","type-post","status-publish","format-standard","hentry","category-data-exfiltration","category-dga","category-dns","category-dns-security","category-dns-threat-intelligence","category-enterprise-network-security","category-threat-detection","category-threat-investigation","tag-data-exfiltration","tag-dga","tag-dns","tag-dns-security","tag-dns-threat-intelligence","tag-enterprise-network-security","tag-threat-detection","tag-threat-investigation"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Efficient IP","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/efficient-ip\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-exfiltration\/\" rel=\"category tag\">Data Exfiltration<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dga\/\" rel=\"category tag\">DGA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns\/\" rel=\"category tag\">DNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns-security\/\" rel=\"category tag\">DNS Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns-threat-intelligence\/\" rel=\"category tag\">DNS Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/enterprise-network-security\/\" rel=\"category tag\">enterprise network security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-detection\/\" rel=\"category tag\">threat detection<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-investigation\/\" rel=\"category tag\">Threat Investigation<\/a>","tag_info":"Threat Investigation","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8067","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8067"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8067\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8067,"date":"2025-10-09T00:27:00","date_gmt":"2025-10-09T05:27:00","guid":{"rendered":"https:\/\/efficientip.com\/?p=79001"},"modified":"2025-10-09T00:27:00","modified_gmt":"2025-10-09T05:27:00","slug":"ai-driven-dga-detection-uncovers-a-dormant-infostealer","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/09\/ai-driven-dga-detection-uncovers-a-dormant-infostealer\/","title":{"rendered":"AI-Driven DGA Detection Uncovers a Dormant Infostealer"},"content":{"rendered":"