DNS Threat Intelligence Exposed an Infostealer: Deep Dive

How DNS Threat Intelligence Exposed a Zero-Day Infostealer: Deep Dive

The internet is rife with hidden threats that often go undetected until they strike – unless you know where to look. In a remarkable case of DNS Zero-Day Infostealer Detection, EfficientIP’s DNS Threat Intelligence exposed and blocked a previously unknown infostealer that leverages DNS infrastructure for data exfiltration while evading traditional detection mechanisms, slipping past antivirus engines, IPS/IDS and endpoint protections.

At the time of discovery —and up until the moment of writing these lines— it had not been flagged as malicious by any major threat feeds or VirusTotal entries.  EfficientIP 360° DNS Security was the only solution to detect and block it.

This blog offers a technical deep dive into the new Infostealer malware, now designated EIP-458-CryptoStealer, drawing on the cutting-edge research and analysis led by EfficientIP’s security team. Read on to learn how the malware’s payloads were delivered and controlled, the malicious capabilities embedded in the final executable, and how EfficientIP’s DNS Threat Intelligence detected DNS anomalies that uncovered the new infostealer malware and mitigated the threat.

DNS Zero-Day Infostealer Detection Trigger: Anomalies in DNS Traffic

The first indication of malicious activity came through EfficientIP’s DNS Threat Intelligence platform, which flagged a surge in DNS TXT queries to the domain slimawriter[.]com. While DNS TXT records are commonly used for legitimate purposes such as email authentication or software validation, the observed query pattern was excessive and anomalous.

Crucially, the domain had no A or AAAA records, meaning it had no associated IP address. This suggested it was not hosting a traditional website or service. The fact it functioned purely through DNS was another strong indicator of abuse.

EfficientIP’s analysts also noted that the DNS TXT responses contained base64-encoded data, with a structure resembling an obfuscated script which may be a payload split into fragments. Further investigation revealed the responses were the segments of a PowerShell-based stager. By reconstructing the fragments, analysts uncovered a script designed to initiate a broader attack chain. These responses can be seen in the raw DNS TXT lookup output below: multiple TXT records, each containing a fragment of base64-encoded data. Once reversed and decoded, these fragments reveal a full PowerShell script used to fetch and execute the main malware payload.

With the threat taking shape, we launched a deeper investigation into what became known as EIP-458-CryptoStealer.

Command-and-Control Mechanics

Once the PowerShell stager was decoded, its role in establishing command and control (C2) became clear. The script initiated outbound HTTPS connections to https://activatorcounter[.]com/connect, a domain that, at the time of analysis, and, as of now, is not filtered by antivirus engines.

Each connection returned a base64-encoded payload, which the stager decrypted in memory using AES CBC with hardcoded key and IV. This in-memory execution ensured that no files were written to disk, allowing the malware to evade endpoint threat detection tools and forensic analysis.

The script below shows the logic used for decryption, communication with the C2 server, and in-memory execution of the retrieved instructions:

The decrypted instructions were executed silently using a hidden PowerShell process, enabling complete remote control of the infected host. This loop – fetching, decrypting, and executing new payloads – persisted until the attacker chose to uninstall the malware or was disrupted.

As a result, EIP-458-CryptoStealer benefited from a highly effective and evasive control mechanism. While DNS traffic delivered the initial stager, the shift to HTTPS for payload delivery provided stealth and resilience.

Main Payload Capabilities Targeted Microsoft and Cryptocurrency Activity

The main payload, retrieved via encrypted HTTPS communication, was an approximately 1000-line PowerShell script designed to target Microsoft Windows systems. Engineered for stealth, persistence, and data exfiltration, its capabilities went far beyond basic reconnaissance.

The 2025 zero-day malware had a clear focus on identifying cryptocurrency-related activity, harvesting system metadata, clipboard contents, and browser extension data to support this objective.

It monitored active application windows for specific keywords linked to crypto wallets and exchanges, such as Binance, MetaMask, and LedgerLive, triggering data capture when matches were found. Next, the CryptoStealer established communication with activatorcounter[.]com/ping as a data exfiltration channel.

EIP-458-CryptoStealer’s design was heavily focused on evasion and persistence. Additional functions included checking antivirus status via WMI, dynamically downloading additional scripts, and cleaning up traces through self-uninstallation routines. Further, the entire payload ran in-memory, making it difficult to detect or analyze through traditional endpoint monitoring tools.

IOC Summary and DNS Indicators

EfficientIP analysts compiled a comprehensive set of indicators of compromise (IOCs) associated with EIP-458-CryptoStealer. Key elements included cryptographic hashes for both the stager and main payload:

Description	Type	Value
Stager	Hash	Md5 : afd1c0d22c427d419da11b855a63605dSha1: 1ae9b3e0b4d8df0c045258d43521c5f89b8a7be8Sha256: e06d9924e8bb258480702d91a75bfda05f4ddf71869762e3bdfdd6f7f7554437
Stager	Domain	slimawriter[.]com
Malware	Hash	Md5 : 6be0c02582a2d8da479f543dacf1691dSha1: 86675dedad33de575cf809a607ace11062f834a7Sha256: a7c268b33d953662c2208167d1c8393143707ded559c98b854d2f5c455209ceb
Malware	IP	172.67.163.70
Malware	IP	104.21.41.88
Malware	Domain	activatorcounter[.]com
Malware	Mutex	Global\JKS825F
Malware	Mutex	Global\WSCriptsMonitorMutex
Malware	Mutex	Global\ClipboardMonitorMutex

The malware’s infrastructure relied on two previously undetected domains: slimawriter[.]com for initial delivery via DNS, and activatorcounter[.]com for command and control. Additional IOCs included two associated IP addresses and multiple mutex values such as Global\ClipboardMonitorMutex.

As discussed, its primary giveaway was its unique DNS behavior: high-volume DNS TXT queries, base64-encoded payload fragments, and the total absence of A/AAAA records.

This case underscores how these threats can remain active while effectively invisible to endpoint security tools, requiring DNS Threat Intelligence to initiate early threat investigation and containment successfully.

Early Detection with DNS Threat Pulse (DTP) – A DNS-Centric Threat Intelligence Feed

The early detection of EIP-458-CryptoStealer was enabled by DNS Threat Pulse (DTP), EfficientIP’s AI-driven threat intelligence engine. DTP is generated from EfficientIP’s DNS Threat Intelligence Fabric, which  continuously analyzes more than 145 billion DNS queries per day. It leverages patented AI-driven algorithms to detect and categorize domains based on malicious behavior, from phishing and botnets to DGA-based zero-day malware.

In this case of DNS zero-day Infostealer detection, anomalies in DNS TXT records and DNS-only infrastructure were flagged and escalated through EfficientIP’s real-time monitoring and analysis. This enabled EfficientIP to detect the infostealer before any antivirus or external feed registered the domains as malicious.

DTP can be combined with DNS Guardian, allowing policy definition and enforcement based on domain, client identity, and threat category provided by DTP. This highly granular DNS filtering is delivered  via Client Query Filtering (CQF) and provides real-time protection by blocking malicious domains. For an effective threat response, DNS Guardian also integrates seamlessly with SIEM, SOAR, and NAC platforms through open APIs, fueling rapid threat detection, threat investigation and remediation.

Defense Playbook: What to do Next

For organizations using EfficientIP, after the discovery of EIP-458-CryptoStealer, the next step is to check that their DTP is turned on and up to date, and to make sure their CQF is activated and defined to block malware. As long as CQF is activated and receiving updates, no further manual monitoring is required to stay safe. 

For those without DNS-layer controls, the best move is to immediately add firewall entries to block communication with the stager and malware. You should also manually block the payload signatures in your firewall, endpoint protection, or IPS/IDS solution. For more details, please check our previous blog.  

EIP-458-CryptoStealer should also prompt organizations to reevaluate reliance on traditional security tools such as firewalls, endpoints, anti-viruses, or IPS/IDS alone. DNS-layer visibility offers earlier threat detection and faster threat investigation and containment, critical in defending against stealthy zero-day malware designed to evade other tools. Implementing DNS-centric security controls as the first line of defense is essential today to strengthen protection against stealthy threats such as this 2025 zero-day malware.

Conclusion

This discovery reinforces the fact that DNS is no longer just the plumbing of your network – DNS security also serves as a front-line defensive layer. While traditional tools failed to identify the new Infostealer malware, EfficientIP’s DNS Threat Intelligence exposed the threat early, before significant damage could occur.

By leveraging AI-powered threat feeds such as EfficientIP’s DNS Threat Pulse, implementing our 360° DNS Security solution, and enforcing granular policies at the DNS layer, organizations can gain a strategic edge against zero-day malware and proactively protect users, data, and infrastructures.