Connect with us

Hi, what are you looking for?


Network Security

Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report

While China-linked Muddling Meerkat’s operations look like DNS DDoS attacks, it seems unlikely that denial of service is their goal, at least in the near term.

A newly uncovered Chinese threat actor has been scanning DNS networks around the world for years, sending vast numbers of queries via open DNS resolvers, according to network security company Infoblox.

Dubbed Muddling Meerkat (PDF) and appearing to be  linked to the Chinese government, the threat actor can control the Great Firewall (GFW) of China, the nation’s system for censoring and manipulating internet traffic entering and exiting the country.

Active since October 2019, Muddling Meerkat’s operation is like Slow Drip (AKA random-prefix) attacks, which are essentially distributed denial-of-service (DDoS) attacks, but the threat actor’s goal does not appear to be DNS DDoSing and its motivation and goal remain unclear.

With the ability to evade network defenses and remain hidden, Muddling Meerkat may be pre-positioning itself for possible disruptive cyberattacks, similar to Volt Typhoon’s apparent intentions that the US warned about earlier this year.

Muddling Meerkat’s operations, Infoblox says, are complex, as the threat actor can manipulate DNS mail server (MX) records using fake responses injected through GFW, and has been observed using Chinese IPs to make DNS queries for random subdomains to IP addresses worldwide.

What makes the threat actor stand out is the use of false MX record responses from Chinese IP addresses, which include properly formatted MX resource records and overall are different from the standard behavior of the GFW.

China’s GFW is known for injecting false answers to DNS queries, instead of altering DNS responses directly, to poison the DNS cache of the requester. Furthermore, Beijing is also known for using a system called the Great Cannon (GC) to launch DDoS attacks.

“The MX answer records for Muddling Meerkat are only observable in data collected outside of the normal DNS resolution chain because the source of the response is not a DNS resolver but instead a random Chinese IP address,” Infoblox notes.

Advertisement. Scroll to continue reading.

The MX records containing random hostnames were first seen in October 2019, but the number of MX resolutions started to increase in September 2023 and into 2024.

In addition to abusing MX records, Muddling Meerkat was seen using domains registered before the year 2000 to avoid DNS blocklists, selecting domains for abuse based on length and age rather than ownership, almost continuously running campaigns of one to three days, initiating DNS queries from dedicated servers, and limiting the size of operations to avoid detection.

“Every detail of Muddling Meerkat operations demonstrates sophistication and deep knowledge of DNS. The activity includes behavior not previously reported for the GFW, the nature of which ties the actor to Chinese nation state actors,” Infoblox notes.

For years, Infoblox tracked MX record responses from Chinese IP addresses on Muddling Meerkat target domains, which suggests a connection between the threat actor and the GFW operators, and discovered that the operations are performed in stages.

Network administrators are advised to identify and eliminate open resolvers in their networks, only use trusted domains for Active Directory or DNS search, implement DNS detection and response (DNSDR), and review the shared indicators of activity (they do not necessarily suggest compromise) and report identified Muddling Meerkat activity.

Related: Chinese Cyberspies Targeting ASEAN Entities

Related: Chinese APT Hacks 48 Government Organizations

Related: KeyTrap DNS Attack Could Disable Large Parts of Internet: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet