Return to Infoblox Homepage
English Deutsch 日本語 Español Français

Infoblox Threat Intel

Decoy Dog

Decoy Dog is a malware toolkit that uses DNS for command and control (C2), allowing compromised clients to communicate with an attacker via DNS queries through a purpose-built DNS name server. Discovered and dissected through DNS query logs, Decoy Dog is used by multiple actors and went undetected for over a year by the industry. It was first used in the Russia-Ukraine war, but as the number of actors has spread, it might be used beyond Eastern Europe.

  • Operating since: At least April 2022
  • Infoblox discovered: March 2023
  • Infoblox published: April 2023, July 2023
  • Prevalence: Very rare

Threat actor resources

Webinar

Dr. Renée Burton
September 5, 2023

Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack

In April 2023, Infoblox disclosed the discovery of Decoy Dog, a malware toolkit that uses the domain name system (DNS) to perform command and control (C2).

WATCH NOW
Press Release

Infoblox Threat Intel
July 25, 2023

Decoy Dog is No Ordinary Pupy – Infoblox Reveals Shift in Malware Tactics After Initial Discovery

Infoblox discovers that open-source software Pupy is a smokescreen for the real capabilities of Decoy Dog – highlighting the critical need for DNS security.

Read more
Blog

Infoblox Threat Intel
July 25, 2023

Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack

The article provides a brief overview of our conclusions. Get the full report, including our Decoy Dog YARA rule, here and read the original paper here.

Read more
Report

Infoblox Threat Intel
July 25, 2023

Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack

Decoy Dog is a malware toolkit discovered by Infoblox that uses the domain name system
(DNS) to perform command and control (C2).

DOWNLOAD NOW
Media Article

Gestalt IT
May 11, 2023

Infoblox Uncovers Decoy Dog

Infoblox has released a threat report on a remote access trojan toolkit called “Decoy Dog” that utilized DNS command and control and went undetected for a year in various sectors across multiple regions.

WATCH NOW
Media Article

TechRepublic
May 2, 2023

Infoblox discovers rare Decoy Dog C2 exploit

Domain security firm Infoblox discovered a command-and-control exploit that, while extremely rare and complex, could be a warning growl from a new, as-yet anonymous state actor.

Read more
Media Article

Bleeping Computer
April 23, 2023

Decoy Dog malware toolkit found after analyzing 70 billion daily DNS queries

A new enterprise-targeting malware toolkit called ‘Decoy Dog’ has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.

Read more
Blog

Infoblox Threat Intel
April 20, 2023

Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic

Infoblox analyzes over 70 billion DNS records each day, along with millions of domain-related records from other sources, to identify suspicious and malicious domains throughout the internet.

Read more
Back To Top