Zero-Day Malware First Detected by DNS Threat Intelligence

A previously unknown malware campaign was uncovered through EfficientIP’s real-time DNS Threat Intelligence. By exploiting DNS TXT records for stealthy command-and-control and data exfiltration, it bypassed traditional defenses—until DNS Security stopped it.

EfficientIP’s DNS Threat Intelligence has identified a previously unknown infostealer malware actively targeting enterprise networks—undetected by all major antivirus engines and threat intelligence feeds. This zero-day malware campaign uses DNS TXT records to stealthily communicate and exfiltrate data, completely bypassing traditional endpoint and perimeter defenses.

Zero-Day Malware Uncovered First by EfficientIP’s DNS Threat Intelligence

The malware was uncovered using EfficientIP’s real-time, AI-driven DNS Threat Intelligence, which is part of EfficientIP 360° DNS Security Solution. The DNS Threat Intelligence flagged unusual DNS TXT query activity in the global internet DNS traffic. While TXT records are often used for legitimate functions like domain verification or email security (SPF, DKIM), these queries stood out even though the volume of requests was relatively low at this time, due to the high length of the TXT records and their encoded structure.

At the time of discovery, none of the domains or payloads were flagged as malicious in common threat and Anti-Virus feeds, confirming that this was a zero-day threat operating in the wild undetected.

EfficientIP’s DNS Threat Intelligence feed, DNS Threat Pulse (DTP)  blocked all malicious domains, preventing further spread and reducing potential impact for protected customers.

Malware Execution Flow: Step by Step

Step 1: Initial Access via DNS TXT Records (Stager)
A threat investigation by EfficientIP’s research team revealed that the unusual TXT record activity was consistently associated with the domain slimawriter[.]com, which is the stager of the malware. This domain has been registered in mid-April, and has no IP address records (had no A or AAAA records) associated with it, only TXT records, suggesting it wasn’t hosting a website, but was configured solely for DNS-based command and control communication. Despite that, it responded to TXT queries with long Base64-encoded strings that revealed a powerShell script designed to initiate the infection process.

Step 2: Downloading and Decrypting the Main Malware (Payload)
The stager contacted another domain, activatorcounter[.]com, to download the main malware payload. This domain serves as the command-and-control (C2) server, delivering encrypted instructions and payloads to the infected device. This payload was encrypted with AES keys stored in the stager’s script and, once decrypted, ran silently on the target machine—bypassing antivirus tools entirely. To ensure only one instance runs on each host, the malware uses a global Microsoft Windows mutex.

Step 3: Data Collection and Exfiltration (Malicious Actions)
The final payload, which is the main malware, is a 1,000-line PowerShell script targeting Microsoft Windows devices. It is primarily designed to harvest cryptocurrency wallet information. The malware performs data exfiltration by sending any collected sensitive information to the attacker’s API endpoint at: https://activatorcounter[.]com/connect/ping.

The payload performs several actions, including:

• Checking antivirus status using WMI
• Accessing clipboard contents to capture sensitive data
• Extracting and sending cryptocurrency wallet addresses and related information
• Collecting system details (computer name, username, OS name and version)
• Downloading and executing additional payloads
• Sending back logs of executed actions
• Scanning for installed software and browser extensions (including Chrome, Edge, Brave, Opera, Firefox, Vivaldi)
• Monitoring active application windows for crypto-related keywords to identify potential cryptocurrency activity or targets

Additionally, the malware is capable of uninstalling itself on command, leaving minimal traces behind.

This incident highlights the value of DNS Threat Intelligence and Threat Detection in identifying and stopping Zero-Day threats. By analyzing unusual DNS activity—such as suspicious TXT queries, C2 domain lookups, and encoded payload delivery—DNS Security Solutions can uncover malicious behaviors that evade traditional security controls.

Mitigation Guidelines

If you are an EfficientIP customer, make sure that DNS Threat Pulse (DTP)—EfficientIP’s DNS Threat Intelligence feed—is activated and configured to automatically block malicious domains and receive automatic updates. The domains used in this attack are already included in the DNS Threat Intelligence feed and are actively blocked by the EfficientIP DNS Security solution.

If you are not yet an EfficientIP customer, we strongly recommend taking the following actions:

1. Manually block the following domains in your DNS firewall or resolver configurations:
   1. Slimawriter[.]com
   2. Activatorcounter[.]com
      
2. Manually block the payload signatures in your firewall, endpoint protection, or IPS/IDS solution (if manual signature-based blocking is supported):
   
3. Isolate affected systems to prevent further spread of the malware and perform a DNS-Centric threat investigation .
   
4. Implement DNS-centric security controls that proactively protect, detect, and respond to evolving threats using a DNS-Centric Threat Intelligence feeds and DNS Threat Detection—turning DNS into the first line of defense against covert data exfiltration, command-and-control activity, and zero-day malware like the one uncovered in this analysis. 

By taking these steps, you can reduce your exposure to this threat and strengthen your defenses against similar DNS-based attacks.

Indicators of Compromise (IOCs):

Description	Type	Value
Stager	Hash	md5 : afd1c0d22c427d419da11b855a63605d sha1: 1ae9b3e0b4d8df0c045258d43521c5f89b8a7be8 sha256: e06d9924e8bb258480702d91a75bfda05f4ddf71869762e3bdfdd6f7f7554437
Stager	Domain	slimawriter.com
Malware	Hash	md5 : 6be0c02582a2d8da479f543dacf1691d sha1 : 86675dedad33de575cf809a607ace11062f834a7 sha256 : a7c268b33d953662c2208167d1c8393143707ded559c98b854d2f5c455209ceb
Malware	Domain	activatorcounter.com
Malware	Mutex	Global\JKS825F
Malware	Mutex	Global\WSCriptsMonitorMutex
Malware	Mutex	Global\ClipboardMonitorMutex

Conclusion

This incident highlights how advanced threats can silently bypass traditional security layers. By leveraging real-time, AI-driven DNS Threat Intelligence, organizations can detect and stop zero-day malware before damage occurs. Proactive DNS security isn’t optional—it’s essential for protecting users, data, and operations in today’s threat landscape.