Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networks
Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks


Organizations are at risk of falling prey to a common network vulnerability that allows threat actors to evade detection and spread malware with impunity, law enforcement agencies have warned.
‘Fast flux’ is a domain-based technique used to hide communications sent by malware to its command and control (C2) infrastructure – the malicious servers that send out updates and new directions to malware on infected devices.
It works by repeatedly changing the DNS records for the C2 infrastructure so that no one domain is easily identifiable by the victim’s cybersecurity team.
Constantly shifting IP addresses also means that even if one is flagged as malicious and blocked, the malware can easily contact the C2 again through any number of other addresses.
To make matters harder for cybersecurity teams, the commands sent to the malware are often relayed via botnets, a swarm of infected devices. This further muddies the water when it comes to tracing signals, giving the hackers behind the C2 an extra layer of anonymity.
A more intensive method known as ‘double flux’ sees threat actors also swap out the DNS name servers used to store records for their malicious site, as an additional protection against being discovered by law enforcement.
Fast flux allows threat groups to cycle out IP addresses as many as several hundred times in a day, severely limiting the capability of security teams to pin down their malicious communications.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
‘Fast flux’ techniques are being used to devastating effect
The use of fast flux techniques have been observed in Hive ransomware activity, by other ransomware groups as well as state-sponsored entities such as the Russian advanced persistent threat (APT) group, Aqua Blizzard.
The methods were laid out in an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) alongside the National Security Agency (NSA) and Federal Bureau of Investigation (FBI).
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ) also issues the joint warning.
The combined law enforcement agencies noted that fast flux is also used to prevent authorities from disabling social engineering websites and to keep hacking forums online.
Fighting fast flux
To mitigate the threat posed by these techniques, security experts urged all organizations to adopt protective domain name system (PDNS) services, which come with features such as DNS sinkholing.
This allows security teams to intercept and block malicious DNS requests, thereby stemming the flow of attacks and flagging infected.
PDNS services also offer advanced monitoring, filtering, and analysis. It is available via a range of providers, as well as free of charge to select services in the UK via the National Cyber Security Centre (NCSC).
“Fast flux is an ongoing, serious threat to national security, and this guidance shares important insight we’ve gathered about the threat,” said Dave Luber, NSA Cybersecurity Director.
“It is imperative cybersecurity providers, especially Protective DNS providers, follow these guidelines to safeguard critical infrastructure and sensitive information.”
In addition to their advice for all organizations, the combined agencies provided cybersecurity service providers (CSPs) and internet service providers (ISPs) with a number of techniques known to produce good results against fast flux.
This included greater reliance on intelligence feeds to flag malicious domains, better use of anomaly detection to detect domains with unusually diverse IP addresses or geolocation data, and to create advanced algorithms that can match anomalous behavior with fast flux methodology.
MORE FROM ITPRO
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
Zero trust gains momentum amid growing network visibility challenges
News Organizations are looking to automation, orchestration, and risk mitigation as key security priorities
By Emma Woollacott Published
-
Nasuni names former Veracode chief Sam King as CEO
News The seasoned executive succeeds Paul Flanagan who retires after eight years in the role
By Daniel Todd Published
-
Fake file converter tools are on the rise – here’s what you need to know
News The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
By Emma Woollacott Published
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
News Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
By Solomon Klappholz Published
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprises
News The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
By Solomon Klappholz Published
-
Why ‘malware as a service’ is becoming a serious problem
News Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
By Solomon Klappholz Published
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victims
News Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
By Solomon Klappholz Published
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilities
News Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
By Emma Woollacott Published
-
Hackers are using a new AI chatbot to wage cyber attacks: GhostGPT lets users write malicious code, create malware, and curate phishing emails – and it costs just $50 to use
News Researchers at Abnormal Security have warned about the rise of GhostGPT, a new chatbot used by cyber criminals to create malicious code and malware.
By Nicole Kobie Published
-
US authorities just purged malware from thousands of devices across the world
News After taking control of the PlugX malware’s command-and-control server, the coalition were able to trigger a self-delete mechanism to remove the malicious program
By Solomon Klappholz Published