Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles


Threat Intel Alert: Infoblox Reveals Shift in Decoy Dog Malware Tactics After Initial Discovery

Aug 1, 2023Knowledge

Threat Intel Alert: Infoblox Reveals Shift in Decoy Dog Malware Tactics After Initial Discovery


On July 25, 2023 Infoblox released critical updates and a second detailed report regarding the “Decoy Dog” malware. We have determined that no Infoblox customer devices have been compromised. However, the malware is very advanced, still not fully understood, and as such remains a threat to global enterprises until it is neutralized. You can access the full report here.


The alert provides details necessary to ensure your enterprise is protected:

  1. To assist, we are releasing a large public data set and detailed findings, including a new YARA rule that can be applied to files to identify the malware and further support industry investigation of these C2 systems.
  2. Infoblox has new detection algorithms in place to identify Decoy Dog domains, which are included in our BloxOne Threat Defense Essentials package.
  3. Decoy Dog continues to operate and is now controlled by at least 3 actors. These actors responded to our initial disclosures by changing their operations in order to retain access to their victims.
  4. Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device. Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers.

For more information regarding Infoblox’s first published report on Decoy Dog in April, visit here.

To read more on Infoblox’s findings, you can view the company's issued press release here.

You can also learn more from two exclusive interviews given by CEO Scott Harrell and Head of Threat Intel, Renee Burton.

As a reminder, if you are a BloxOne Threat Defense (Advanced) Customer

If you are a BloxOne Threat Defense (Essentials or Business On-premises) Customer

  • Validated Decoy Dog domains are part of the anti-malware feed. If you have applied the anti-malware feed to your RPZ policy configuration, the on-premise DNS servers will have already pulled the active data set including those indicators known to be related to this threat. If not, follow Infoblox recommendations to block with the anti-malware feeds. 
  • Validate security events generated by the on-premise DNS appliances via the Infoblox Reporting server

If you are a BloxOne Threat Defense (Business Cloud) Customer

If you are not a BloxOne Threat Defense Customer

If you find these in your traffic or would like more information, please contact your account manager or email


Additional Resources:

Showing results for 
Search instead for 
Did you mean: