Decoy Dog is No Ordinary Pupy

Decoy Dog is a malware toolkit discovered by Infoblox that uses the domain name system (DNS) to perform command and control (C2). A compromised client communicates with, and receives direction from, a controller via DNS queries. That controller is integrated into a DNS name server to which queries are transmitted through the normal resolution process.

We disclosed Decoy Dog’s existence in April 2023 and released a detailed report of our initial findings on April 23rd. The discovery was based on monitoring of DNS data. Analysis at the time confirmed that the toolkit was built based on a remote access trojan (RAT) known as Pupy, but it wasn’t known what systems were being exploited, how the toolkit was deployed, or whether Pupy had been modified.1 We expected that, with the details we provided, others in the community would locate the compromised machines and the full story would become known. However, the mystery surrounding Decoy Dog has only grown.

Since April, Infoblox has conducted further research into Decoy Dog and Pupy. This report is the result of that research. We have learned that Decoy Dog is a major upgrade to Pupy that uses commands and configurations that are not in the public repo. We developed algorithms to separate Decoy Dog client communications and infer a number of other properties about each controller.

This allows us to conclude with high confidence that the toolkit has spread and is under the control of at least three actors. While the activity we have observed remains confined to Russia and Eastern Europe, there are distinct groupings of techniques, tactics, and procedures (TTPs) within the controllers consistent with multiple actors.