StarFish
StarFish is a simple reverse shell/backdoor used in DNS-orchestrated malware campaigns as the first-stage component and conduit for Strela Stealer. Reporting attributes the infrastructure hosting and delivery of StarFish to the threat actor Detour Dog, which has used compromised WordPress sites, malicious JavaScript, and DNS TXT records for covert command-and-control and payload delivery. Infoblox assessed that Detour Dog controls domains hosting StarFish and that at least 69% of confirmed StarFish staging hosts were under Detour Dog control. IBM X-Force reported in July 2025 that StarFish was delivered via malicious SVG files to enable persistent access to infected machines. The broader attack chain has also involved spam delivery through the REM Proxy and Tofsee botnets, with Detour Dog acting as a service provider/partner to distribute malware for Strela Stealer operations associated with Hive0145. Observed behavior includes DNS TXT responses that are Base64-encoded and include the word "down" to trigger infected sites to retrieve content from Strela Stealer C2 infrastructure, using compromised websites as relays to obscure hosting and complicate analysis. Related infrastructure included sinkholed Detour Dog C2 domains webdmonitor[.]io and aeroarrows[.]io in July and August 2025.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Detour Dog-owned infrastructure, per the company, has been used to host StarFish, a simple reverse shell that serves as a conduit for Strela Stealer.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor malware delivered via DNS-based attacks, enabling remote access and control of infected systems. Utilizes DNS TXT records for covert command and control communication.
A simple reverse-shell backdoor used as a first-stage/stager to enable persistent access and facilitate delivery of Strela Stealer; reported delivered via malicious SVG files and fetched/relayed using DNS TXT record responses and compromised websites.
StarFish is a backdoor malware used to facilitate the installation of Strela Stealer on compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.