Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack

In April 2023, Infoblox disclosed the discovery of Decoy Dog, a malware toolkit that uses the domain name system (DNS) to perform command and control (C2). Decoy Dog had operated for over a year before detection. Since then we continued our research to understand the nature and severity of this threat. What we found is both alarming and mysterious. The toolkit is based on Pupy, an open-source remote access trojan (RAT), but is far more sophisticated than the pen tester’s tool. While this traffic looks like Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device.

Download this whitepaper, and learn how, using DNS, Infoblox was able to not only discover Decoy Dog, but determine it was an advanced persistent threat run by actors who are highly motivated to maintain access to their victims. The topics will include:

• What is Decoy Dog and why should we care
• How Infoblox used DNS to discover and analyze Decoy Dog
• How Infoblox used DNS to determine that Decoy Dog was operated by multiple actors, estimate the number of compromised devices, and understand the nature of the communications – all without the malware itself
• How actors responded to the Infoblox disclosure to continue their operations
• What research data Infoblox has released to the security community to help identify compromised devices and stop the malware

White Paper from