Researchers at MSP threat detection provider Huntress Labs noticed a suspicious URL in the PowerShell code they had previously analyzed:https://dns.google.com/resolve?name=dmarc.jqueryupdatejs.com&type=txt. The response returned via Google DNS contains the malicious payload in an encoded form, as verified by BleepingComputer:Google DNS response with the “data”” field containing the malicious malicious payload. The apparent hexadecimal characters on the right side are actually decimal characters used to construct an encoded payload via rogue scheduled tasks. In addition to the obfuscation techniques it uses to “”hide all of its evasive malware under layers under layers of complexity”””
Source: https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/