It’s long been known that DNS is a critical backbone of the internet. But what happens when attackers turn that infrastructure into a delivery system? That’s the question raised in a recent Ars Technica report detailing how threat actors are now hiding malware inside DNS TXT records, using a system designed for harmless metadata as a covert channel for delivering and executing payloads.

This is not about a flaw in the protocol. It is about how easily normal-looking DNS traffic can be repurposed for malicious activity. In one example, researchers found a full malware payload broken into hundreds of DNS records, hosted on attacker-controlled subdomains, and quietly stitched back together by a script running on the target machine. Because nothing ever looks obviously suspicious, traditional defenses rarely catch it.

The real concern is visibility. DNS traffic is often overlooked, especially as more of it becomes encrypted and routed through external resolvers. Without inspection or controls in place, organizations are left with a major blind spot. That blind spot is proving useful not just for malware, but for data exfiltration, command and control, and even AI manipulation through prompt injections.

This story is a reminder that cybersecurity is no longer just about protecting firewalls and endpoints. The very infrastructure organizations rely on can be weaponized if left unchecked. If defenders do not begin paying closer attention to DNS, they risk falling behind attackers who already know how to exploit this hidden channel.