Security News > 2023 > July > Mysterious Decoy Dog malware toolkit still lurks in DNS shadows
Whoever operates the toolkit did not cease activity after Infoblox announced their discovery and published a technical analysis showing that Decoy Dog was heavily based on the Pupy open-source post-exploitation remote access trojan.
Some of the changes one Decoy Dog operator made after Infoblox's disclosure was to add a geofencing mechanism that limits responses from controller domains to DNS queries from IP addresses in specific regions.
If the theory of multiple actors handling Decoy Dog is true, there may be two development groups that improved the toolkit with new functionality.
Infoblox recommends defenders consider that IP addresses in both Decoy Dog and Pupy represent encrypted data, not real addresses used for communication.
The company also created a YARA rule that can detect Decoy Dog samples the researchers observed since July and distinguish the toolkit from the public version of Pupy.
Decoy Dog malware toolkit found after analyzing 70 billion daily DNS queries.