Skip to main content
close search
site logo

CISA, FBI warn of fast flux technique used to hide malicious servers

Criminal and state-linked hackers use fast-changing DNS records to make it harder for defenders to detect or disrupt malicious activity.

Published April 4, 2025
David Jones's headshot
Reporter
A man and a woman shake hands in front of a desk that has flags from the U.S. and Ukraine. The people are in front of a blue background with CISA logos.
Former CISA Director Jen Easterly, right, shakes hands with SSSCIP Deputy Chairman Oleksandr Potii over an agreement to deepen cyber relations between the U.S. and Ukraine on Wednesday, July 27, 2022, in Washington, D.C. Threat actors have used fast flux techniques in cyber campaigns during the early months of the war. Retrieved from Jen Easterly/CISA.

The FBI, the Cybersecurity and Infrastructure Security Agency and a group of international partners on Thursday warned that cyber threat groups are using a technique called “fast flux” to hide the locations of malicious servers, posing a significant threat to national security.

Authorities warned that both criminal and state-linked threat groups have used fast flux to obfuscate the locations of these servers using fast-changing Domain Name System records. They also can create highly resilient command and control (C2) infrastructure to conceal their malicious operations, particularly in connection with botnets.

Fast flux techniques are not only used for C2 communications but also in phishing campaigns to protect social engineering websites from being blocked or taken down, authorities said. 

Authorities did not specify whether there is an active campaign using fast flux or directly name any threat actor currently using the technique. However, they did reference past activity, noting that fast flux has been used in previous ransomware attacks linked to Hive and Nefilim. Additionally, a Russia-backed threat actor known as Gamaredon has also used fast flux to mask threat activities, according to the advisory. 

Andy Piazza, senior director of threat intelligence at Palo Alto Networks’ Unit 42, said fast flux is a way for adversaries to impose costs on security operations teams by making it very costly and difficult to detect ongoing threat activities. 

Piazza said fast flux was used by Trident Ursa during the early days of the Russian invasion of Ukraine.

Fast flux allows an adversary to quickly change their infrastructure, according to Piazza, by changing hundreds and hundreds of domains every minute.

“Makes it very hard for the SOC to investigate, block or stay ahead of it,” he said. “Takes a lot more time, takes a lot more money.”

According to the advisory, there are two variants of the technique called single flux and double flux. Using single flux, a single domain name is associated with multiple IP addresses. Double flux not only changes the domain name but also changes the DNS name server.

Authorities suggested several steps to detect and mitigate the activity:

  • Implement anomaly detection systems for DNS query logs. 
  • Use threat intelligence feeds to identify known fast flux domains and related IP addresses. 
  • Increase logging and monitoring of DNS traffic.
  • Consider sinkholing malicious domains. 

Editors' picks

Company Announcements

View all | Post a press release
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Operant Networks Launches Embedded Zero Trust Security Software for PLCs
From Operant Networks
March 19, 2025
360 Privacy Announces Strategic Executive Appointments Following $36 Million Growth Investment
From 360 Privacy
March 31, 2025
Fathom5’s ARIA Continues Revolutionizing Cyber-Resilient Machinery Control Systems
From Fathom5
March 19, 2025
Editors' picks
Latest in Threats
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.