Cybersecurity authorities from Australia, Canada, New Zealand, and the United States have issued a joint warning about the increasing use of a stealthy technique known as fast flux. Which threat actors are exploiting to conceal the locations of their command-and-control (C2) infrastructure. According to the advisory, fast flux works by rapidly rotating DNS records associated with a single domain. Making it incredibly difficult for defenders to pinpoint or block malicious servers.
This tactic has become more widespread in recent years, especially among cybercriminal groups such as Gamaredon, CryptoChameleon, and Raspberry Robin. The goal is to create a more resilient infrastructure capable of evading detection and surviving takedown attempts by authorities. The advisory was jointly released by major agencies including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), NSA, FBI, Australian Signals Directorate, Canadian Centre for Cyber Security, and New Zealand’s National Cyber Security Centre.
Fast flux isn’t a new concept—it first surfaced in 2007 during the Honeynet Project. But it remains effective because of how it undermines traditional DNS-based detection mechanisms. There are two primary types of fast flux operations. In single flux, a domain name is linked to a constantly changing set of IP addresses. In double flux, not only are the IP addresses rotated, but the authoritative name servers responsible for DNS resolution are also changed. Adding an extra layer of complexity that frustrates traditional network defenses.
The effectiveness of fast flux lies in its ability to use a large number of compromised devices or rented infrastructure. Rotating through them quickly to distribute traffic and avoid IP-based denylisting. As noted by Palo Alto Networks’ Unit 42, each IP is used briefly, ensuring minimal exposure and making blacklisting efforts largely ineffective. It’s a high-effort, high-evasion strategy that allows threat actors to maintain operational continuity in the face of active disruption attempts.
While its core application is to hide C2 servers. Fast flux also plays a key role in hosting phishing sites and distributing malware. Its rapid switching of IPs and DNS records allows malicious websites to stay online longer and evade filters that rely on static indicators. This flexibility and persistence have elevated fast flux to what the agencies are now describing as a national security threat. Especially as attackers become more adept at using it in targeted campaigns.
To defend against fast flux-based attacks, organizations are advised to adopt a layered security approach. This includes blocking IPs associated with known fast flux domains, sinkholing malicious traffic. Monitoring DNS activity for abnormal resolution patterns, filtering traffic from low-reputation domains or IPs, and enhancing phishing awareness across their workforce. These steps can help reduce the risk of compromise even when attackers employ evasive infrastructure tactics.
Renee Burton, VP of threat intelligence at Infoblox, called fast flux a “very old” method but acknowledged that it requires a high degree of operational skill to maintain. While easier alternatives such as dynamic DNS services exist. Threat actors still need to control DNS settings and secure hosting—either by compromising machines or purchasing infrastructure. Burton noted that while fast flux isn’t universally adopted due to its resource requirements. It’s still favored by sophisticated actors who value its ability to outmaneuver traditional defense mechanisms.
She also pointed out that adversaries are increasingly turning to traffic distribution systems (TDS) and domain cloaking to extend the lifespan of their malicious infrastructure. By leveraging components of the digital advertising ecosystem. Some attackers can even introduce a layer of plausible deniability, much like bulletproof hosting services. These tactics, when combined with fast flux, make takedown efforts even more complicated.
The joint advisory stresses the need for heightened vigilance and proactive security measures. As fast flux continues to support resilient, hidden infrastructures for malware and phishing campaigns. Defenders must evolve their detection and response strategies accordingly. Without robust DNS monitoring, dynamic threat intelligence, and cross-border cooperation, fast flux-based threats will remain a persistent challenge for security teams worldwide.
