Dead-Drop Resolvers: Malware’s Quiet Rendezvous and Why Adaptive Defense Matters
None
<p>At this weekend’s BSides NYC, Dr. Jonathan Fuller, CISO of the U.S. Military Academy at West Point, delivered an extremely clear talk on how modern malware hides its command-and-control (C2) infrastructure through <em>dead-drop resolvers</em>. Fuller, who co-authored Georgia Tech’s <em>VADER</em> project, described how adversaries increasingly use public platforms-GitHub, Dropbox, Pastebin, even blockchain transactions-as-covert meeting points between infected hosts and remote operators. Rather than embedding a C2 address directly in their code, attackers plant an encrypted message on one of these benign services. The malware later retrieves and decodes it, discovering where to connect next. It’s simple, elegant, and devastatingly effective at evading traditional defenses.</p><figure><img decoding="async" alt="" src="https://cdn-images-1.medium.com/max/562/0*qkN5c4sLWiMVl6XD.png"></figure><p>This technique, formally captured in the <strong>MITRE ATT&CK</strong> framework as <em>Web Service: Dead Drop Resolver</em>, represents a new generation of stealth. It allows attackers to rotate C2 servers without redeploying malware and to hide in plain sight within trusted domains. Fuller’s work-and the broader VADER research-reveals just how pervasive this pattern has become, uncovering thousands of active samples across multiple malware families. Real-world incidents back this up: Secureworks’ analysis of <strong>Drokbk</strong> found attackers using GitHub repositories as disposable message boards for resolvers, while others have used blockchain metadata as immutable storage for the same purpose.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>The pattern is clear: adversaries are increasingly weaponizing the very web services defenders rely upon.</p><p>Traditional defenses are largely blind to this. Static detection fails because the resolver payloads are obfuscated; URL blocking doesn’t work when attackers change platforms daily; sandboxing often misses the fleeting moment when a sample decodes its C2. The challenge isn’t just technical-it’s conceptual. Malware has become a <em>process of adaptation</em>, not a fixed artifact. To detect it, defenders need systems that can see when “normal” behavior subtly diverges from the baseline.</p><p>That’s where our<strong> Log Language Model (LogLM)</strong> provides a crucial new layer of defense. Trained on billions of NetFlow and application logs, Tempo learns what normal digital interactions look like-how entities on a network typically communicate, what timing and data patterns are expected, and when they shift. When malware begins making short, structured calls to public storage sites or decodes data in ways unseen before, Tempo recognizes that behavioral anomaly-even without knowing the specific payload or domain. In essence, DeepTempo acts as the connective tissue between static controls and adaptive threats, detecting the <em>pattern of behavior</em> that makes dead-drop resolvers effective in the first place.</p><p>Dead-drop resolvers are only one branch of a growing tree of covert C2 techniques. Steganography hides commands within images and text, blockchain transactions embed them immutably, and DNS tunneling conceals them within ordinary queries. Each shares a key trait: their content looks legitimate, but their sequence and intent deviate from normal activity. That is precisely where behavioral models like Tempo excel-learning the context of communication, not just its content.</p><p>The message from Fuller’s BSides talk is one we at <strong>DeepTempo</strong> take seriously: adversaries will continue to innovate faster than static defenses can adapt. Foundation models trained on real behavioral data, such as our LogLM-offer a path forward. They allow defenders to see patterns that weren’t explicitly labeled, to surface early warnings that rules and signatures miss, and to adapt as attackers evolve. In a world where malware hides its tracks in plain sight, visibility itself becomes the new perimeter.</p><p></p><p><em>Originally published at </em><a href="https://www.deeptempo.ai/blogs/dead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters"><em>https://www.deeptempo.ai</em></a><em>.</em></p><p><img decoding="async" src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=82c8faaf207c" width="1" height="1" alt=""></p><hr><p><a href="https://medium.com/deeptempo/dead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters-82c8faaf207c">Dead-Drop Resolvers: Malware’s Quiet Rendezvous and Why Adaptive Defense Matters</a> was originally published in <a href="https://medium.com/deeptempo">DeepTempo</a> on Medium, where people are continuing the conversation by highlighting and responding to this story.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/10/dead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters/" data-a2a-title="Dead-Drop Resolvers: Malware’s Quiet Rendezvous and Why Adaptive Defense Matters"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fdead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters%2F&linkname=Dead-Drop%20Resolvers%3A%20Malware%E2%80%99s%20Quiet%20Rendezvous%20and%20Why%20Adaptive%20Defense%20Matters" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fdead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters%2F&linkname=Dead-Drop%20Resolvers%3A%20Malware%E2%80%99s%20Quiet%20Rendezvous%20and%20Why%20Adaptive%20Defense%20Matters" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fdead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters%2F&linkname=Dead-Drop%20Resolvers%3A%20Malware%E2%80%99s%20Quiet%20Rendezvous%20and%20Why%20Adaptive%20Defense%20Matters" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fdead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters%2F&linkname=Dead-Drop%20Resolvers%3A%20Malware%E2%80%99s%20Quiet%20Rendezvous%20and%20Why%20Adaptive%20Defense%20Matters" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fdead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters%2F&linkname=Dead-Drop%20Resolvers%3A%20Malware%E2%80%99s%20Quiet%20Rendezvous%20and%20Why%20Adaptive%20Defense%20Matters" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://medium.com/@epowell101?source=rss-36584a5b84a------2">Stories by Evan Powell on Medium</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Evan Powell">Evan Powell</a>. Read the original post at: <a href="https://medium.com/deeptempo/dead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters-82c8faaf207c?source=rss-36584a5b84a------2">https://medium.com/deeptempo/dead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters-82c8faaf207c?source=rss-36584a5b84a------2</a> </p>