DNSMessenger is a new fileless remote access trojan that uses DNS tunneling to conduct malicious powershell commands on compromised machines. It establishes bidirectional communication between infected machines and attackers through DNS TXT record queries and responses. The malware infects systems through a malicious word document delivered via phishing emails. It then establishes persistence through changes to the registry and installing a backdoor in the WMI database that periodically queries command and control servers for further instructions. Detection can be done through monitoring DNS traffic size and payload as well as blocking unsigned powershell scripts.