A sophisticated cybercriminal technique called fast flux is being increasingly employed by cybercriminals, which is causing heightened concerns among intelligence agencies and cybersecurity agencies throughout the world.
It has been reported in April 2025 that the United States National Security Agency (NSA), in conjunction with allied organizations, has issued a joint cyber advisory warning that fast flux poses a serious threat to national security, as a result of the use of fast flux.
As per the advisory, using this technique allows both criminals and state-sponsored threat actors to create command-and-control infrastructures (C2) that are highly resistant to detection and disruption, and that are very difficult to detect or disrupt.
As a result, the IP addresses of malicious domains are frequently rotated through a network of compromised systems, known as botnets, to create a continuous flow of malicious IP addresses.
Defending against cyberattacks is extremely challenging due to the constant flux of IP addresses. This makes it extremely difficult for defenders to identify, track, or block the infrastructure supporting those attacks.
Therefore, adversaries can conceal their actions and maintain persistent access to targeted systems and networks. It was noted by the National Intelligence Agency that this technique has been employed to facilitate a wide range of malicious operations, such as cyber espionage, phishing schemes, ransomware deployments, and other forms of cybercrime as well.
As fast flux is increasingly being adopted by threat actors, it underscores the need for advanced defensive measures, as well as increased international collaboration, in the fight against emerging cyber threats.
Fast flux is a DNS-based obfuscation technique increasingly used by cybercriminals to evade detection and disrupt conventional security measures to avoid detection.
This method of cloaking the true location of malicious servers, as it rapidly alters the IP addresses associated with a domain name, makes it very difficult for cybersecurity teams to identify and eliminate malicious servers.
By utilizing DNS's dynamic nature, the technique can keep malicious infrastructure running smoothly even when individual IP addresses and servers are discovered and taken down, while utilizing DNS's dynamic nature.
It has been found that fast flux can be divided into two distinct types: single flux and double flux.
A single flux is defined as a continuous rotation of the IP addresses associated with a domain name. This process usually draws from a large pool of compromised machines to maintain the integrity of the domain name.
A double flux adds to this complexity by rotating the authoritative name servers as well, further complicating the infrastructure and making tracking harder.
By taking advantage of this dynamic and distributed approach, attackers can build highly resilient command-and-control networks based on a global network of infected devices that are capable of maintaining operations for a long time.
It is a variant of fast flux that introduces a layer of obfuscation and network resiliency to the network by rotating not only the IP addresses that point to a malicious domain, but also the DNS name servers that conduct domain lookups. Double flux adds a level of obfuscation and network resilience.
As a result of this method, it becomes much more challenging for cybercriminals to track and dismantle their networks.
As a result of security analysis, it has been found that DNS records from both Name Server (NS) and Canonical Name (CNAME) are used in double flux configurations, making it even more difficult to trace the root cause of malicious activity. According to a recent advisory issued on Thursday, both single flux and double flux techniques make use of vast networks of compromised hosts that act as proxies and relays, commonly called botnets.
Consequently, network defenders are unable to identify, block, or pursue legal actions against the infrastructure supporting cyberattacks because of this distributed architecture. Fast flux, with its persistence and evasiveness, has become one of the most popular tactics among cybercriminals as well as government agencies and foreign governments alike. In the world of cyber threats, it has proven its strategic value and prevalence as well as its increasing prevalence.
To differentiate themselves within the illegal marketplace, bulletproof hosting services, which are geared specifically towards criminal enterprises, use fast flux as part of their operation to harden their operations and distinguish themselves from their competitors. Several ransomware groups, such as Hive and Nefilim, have implemented fast flux into their campaigns to retain control over their infrastructure while avoiding detection by the authorities.
Moreover, it has been documented that Russian-backed Gamaredon, a group of threat actors associated with the Kremlin, used the technique as part of their cyber espionage activities, highlighting its appeal to state-allied actors involved in geopolitical cyber operations. Cybersecurity experts recommend that a multifaceted defence strategy be developed to prevent fast flux from posing any threat.
Several key measures include blocking known malicious IP addresses, sinkholing suspicious domains for disruptions in attacker communications, filtering traffic according to domain reputation, and training targeted users about phishing techniques and social engineering. It is crucial to monitor DNS activity constantly for anomalies or strange patterns to detect fast flux networks in advance of their ability to inflict significant damage.
As a result of fast flux deployment, command-and-control (C2) communications are not the only applications that can be made use of to maintain command-and-control communications—it can also play a crucial role in enabling phishing campaigns by making malicious websites used to conduct social engineering attacks much more difficult to detect, block, or compromise.
This method of attack enables phishing infrastructure to persist more effectively by rotating IP addresses and obscuring server locations, giving hackers greater ease in bypassing traditional filtering and takedown mechanisms.
Furthermore, bulletproof hosting providers are increasingly promoting fast flux as a distinguishing feature in their services, since they can offer resilient and anonymous infrastructure to criminals.
A fast flux service provider markets itself as providing a value-added capability that enhances the effectiveness and survivability of malicious operations, such as malware distribution, credential theft, and ransomware deployment.
In April 2025, a coalition of international cybersecurity authorities issued a joint Cybersecurity Advisory (CSA) to address the growing threats posed by fast-flux networks.
As part of the advisory, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have collaborated.
Among the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), the Canadian Centre for Cyber Security (CCCS), and the National Cyber Security Centre for New Zealand (NCSC-NZ), there is the Australian Signals Directorate's Australian Cyber Security Centre.
As a result of the collaborative effort, it has been made clear that fast flux techniques have global implications and that cross-border coordination is essential to combating this evolving cyber threat.
As a result of the growing threat of fast flux techniques, the participating agencies are strongly recommending implementing a comprehensive, multilayered defence strategy so that attacks are detected and mitigated accordingly.
It is important to utilise real-time threat intelligence feeds to identify suspiciously short DNS record lifespans. Furthermore, anomaly detection across DNS query logs can be implemented, along with DNS record time-to-live (TTL) values being analysed to identify anomalies.
Network flow data can also help in the early detection of malicious activity, as it can be used as an indicator to identify inconsistent IP geolocations and irregular communication patterns.
According to the advisory, several critical mitigation strategies can be used to protect enterprises and organisations from cyber threats. These include blocking domains and IP addresses, reputational filtering of DNS traffic, monitoring and logging of network activity, and educating users about the importance of phishing awareness.
As part of the guidance, it is stressed that collaboration with Internet Service Providers (ISPS), cybersecurity vendors, and particularly Protective DNS (PDNS) providers is essential to ensuring that these countermeasures will be implemented effectively. The coordination of efforts between infrastructure providers is essential to reduce the operational effectiveness of fast flux networks, as well as disrupt the cybercriminal ecosystem which is based on them.
