T1071.004 DNS is a sub-technique of Application Layer Protocols (T1071) in the MITRE ATT&CK framework, under the Command and Control tactic. It refers to the use of the Domain Name System (DNS) to resolve domain names into IP addresses, a critical process for the functionality of the internet.
DNS is an essential protocol for web browsing and other online activities, translating human-readable domain names into machine-readable IP addresses. Adversaries exploit this widely used protocol by embedding malicious data and commands within DNS queries and responses, enabling covert communication with compromised systems. This allows attackers to bypass traditional security controls by disguising their traffic as legitimate DNS requests, making it harder to detect malicious activities.
To read about other sub-techniques of the T1071 Application Layer Protocols technique, you can visit the related hub blog.
Adversaries often exploit the DNS protocol for C2 operations, taking advantage of its widespread use and firewall permissions. By embedding malicious data in DNS queries or using TXT records, attackers can disguise their communications as legitimate traffic. This allows for data exfiltration and command delivery while blending in with normal DNS traffic, making detection difficult. Its fundamental role in network infrastructure makes DNS an appealing option for attackers to maintain covert access.
For example, an August 2025 analysis revealed that the AK47C2 dnsclient component of the Project AK47 toolset abuses the DNS protocol for command-and-control [1]. It achieves this by encoding messages within DNS queries and receiving commands via DNS TXT records, allowing the malware to communicate covertly without raising suspicion. DNS is strategically chosen because it is a foundational protocol that is almost universally permitted outbound by firewalls, allowing the C2 messages to blend with legitimate network activity. The malware uses two versions of its protocol, Version 202503 and Version 202504, each with slightly different encoding methods.
dnsclient C2 Mechanisms
The dnsclient begins its operation by setting up the DNS server for queries. In its early Version 202503 (likely a test build), it explicitly configures a private IP address (10[.]7[.]66[.]10) as its designated DNS server. This is achieved using the following C code snippet to allocate memory and parse the IP address for the DNS query function (DnsQuery_A):
|
V3 = (PIP4_ARRAY) LocalAlloc (0x40u, 8u) ; |
Data Exfiltration and Check-in via Subdomains
To send data to the C2 server, the malware converts the message payload into a subdomain of the hard-coded C2 domain (update.updatemicfosoft[.]com).
The data is first XOR-encoded with the key VHBD@H and then converted into a hexadecimal string. The resulting DNS query structure follows the format:
|
HEX_ENCODED_DATA.update.updatemicfosoft[.]com |
When the malware sends command execution results (exfiltration) back to the C2 server (Version 202503), the data is packaged in the following JSON format, which is then encoded and sent as the subdomain:
|
{"cmd": "<COMMANDS_TO_EXECUTE>", "cmd_id": "<COMMAND_ID>", "type": "result", "fqdn": "<HOSTNAME>", "result": "<EXECUTION_OUTPUT>"} |
The C2 server delivers commands back to the infected host using a DNS TXT record. This TXT record contains the encoded command, which the dnsclient decodes using the same XOR algorithm. The decoded command payload in the simplified Version 202504 takes the following format, which includes a session key for client-side verification:
|
<COMMAND_TO_EXECUTE>::<SESSION_KEY> |
Because the encoded data can exceed the DNS query length limit, dnsclient fragments large payloads and uses specific prefixes as flags. For Version 202503, the character s is prepended to the domain name to indicate fragmented data. Version 202504 uses the prefixes 2 and a on the session key substrings to signal the start and continuation of a fragmented message when sending execution results.
For instance, reported in April 2024, the MadMxShell backdoor exploits the DNS protocol for covert C2 communication by embedding encoded data within DNS MX queries and responses [2]. Using a custom 36-character lookup table, binary data is converted into alphanumeric subdomain strings. To bypass DNS size constraints, each DNS packet is limited to 103 bytes, with larger messages split across sequential packets, ensuring compliance with DNS protocol limits. The backdoor operates with rapid three-second intervals between transmissions, generating noisier traffic than HTTP-based malware. Requests and responses use structured messages encoded in subdomains, where subdomain blocks are separated by periods. This approach enables the malware to mimic legitimate DNS activity, blending in with normal traffic while evading detection.
In another case identified in December 2024, researchers discovered that GammaLoad malware leverages sophisticated DNS-based techniques to obfuscate and maintain its C2 communication [3]. The malware employs DNS-over-HTTPS to resolve C2 infrastructure, ensuring encrypted and stealthy communication when traditional DNS resolution methods are blocked or fail. Additionally, it implements a DNS fast-fluxing technique, dynamically rotating DNS records for its C2 servers to evade tracking and disruption.
These methods enable the malware to maintain consistent and covert communication with its C2 infrastructure, bypassing conventional network security measures designed to detect and block malicious traffic.
[1] H. Hara and M. Lim, “Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks,” Unit 42, Aug. 05, 2025. Available: https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/. [Accessed: Dec. 08, 2025]
[2] R. Tay and S. Singh, “Malvertising campaign targeting IT teams with MadMxShell,” Apr. 17, 2024. Available: https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell. [Accessed: Dec. 18, 2024]
[3] The Hacker News, “Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware,” The Hacker News, Dec. 06, 2024. Available: https://thehackernews.com/2024/12/hackers-leveraging-cloudflare-tunnels.html. [Accessed: Dec. 18, 2024]