International intelligence agencies raise the alarm on fast flux | CyberScoop<\/title> <meta name=\"description\" content=\"International intelligence and cybersecurity agencies jointly issued a warning Thursday about \u201cfast flux,\u201d an advanced technique used to evade detection.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/fast-flux-nsa-cisa-advisory-bulletproof-hosting\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"International intelligence agencies raise the alarm on fast flux\"> <meta property=\"og:description\" content=\"International intelligence and cybersecurity agencies jointly issued a warning Thursday about \u201cfast flux,\u201d an advanced technique used to evade detection.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/fast-flux-nsa-cisa-advisory-bulletproof-hosting\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-04-03T18:46:02+00:00\"> <meta property=\"article:modified_time\" content=\"2025-04-03T18:46:05+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg\"> <meta property=\"og:image:width\" content=\"6000\"> <meta property=\"og:image:height\" content=\"4000\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1742994400g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1743607778g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84081\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84081\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffast-flux-nsa-cisa-advisory-bulletproof-hosting%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffast-flux-nsa-cisa-advisory-bulletproof-hosting%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-84081 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/fast-flux-nsa-cisa-advisory-bulletproof-hosting\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.877922077922\">\n<div class=\"single-article__header-content\" readability=\"35.4\">\n<p> The NSA and its partners want organizations to protect themselves against the technique, which can be tough to spot. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84081\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg 6000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"35.914765605415\"><body readability=\"73.912061794415\"><\/p>\n<p>International intelligence and cybersecurity agencies jointly issued a warning Thursday about \u201cfast flux,\u201d an advanced technique used by cybercriminals and state-sponsored actors to evade detection and maintain resilient command and control infrastructure.<\/p>\n<p>Fast flux involves rapidly changing or swapping out IP addresses linked to a particular domain. These quick changes render malicious activity nearly invisible to defensive measures. When fast flux is used, the domain names associated with these ever-changing IP addresses act as proxies, facilitating a wide array of cybercriminal activities. <\/p>\n<p>The advisory was issued by the NSA along with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), Australian Signals Directorate\u2019s Australian Cyber Security Centre (ASD\u2019s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ).<\/p>\n<p>\u201cFast flux is an ongoing, serious threat to national security, and this guidance shares important insight we\u2019ve gathered about the threat,\u201d said NSA Cybersecurity Director Dave Luber.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The sheer number of IP addresses used in fast flux operations makes it a formidable challenge for cybersecurity professionals. Often reaching into the hundreds of thousands, these IP addresses are connected to a DNS record for minutes before being swapped out for another. This rapid turnover creates a scenario akin to searching for needles in a constantly shifting haystack, where both human observers and automated systems struggle to keep up with the changes.<\/p>\n<p>Furthermore, malicious actors make it harder to detect by using legitimate cloud service providers as a front to their operations. By blending malicious traffic with legitimate-looking data, these actors make it exceedingly tough for defenders to distinguish between harmful and benign activities.<\/p>\n<p>While the speed and sophistication of fast flux tactics make real-time interception nearly impossible, certain behavioral indicators can serve as warnings of malicious intent. These include the bulk procurement of domain names, the use of fake registration details for nameservers, and the rapid alteration of IP addresses associated with these domains. <\/p>\n<p>Intelligence agencies have observed fast flux being used across multiple threat vectors. Bulletproof hosting services, which disregard law enforcement requests and abuse notices, often offer fast flux as a service differentiator to help clients evade blocking.<\/p>\n<p>The technique has been documented in ransomware attacks, including those by Hive and Nefilim. Nation-state actors such as Gamaredon have employed fast flux to limit the effectiveness of IP blocking during their operations.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The advisory advocates for the implementation of a multi-layered detection and mitigation approach among protective DNS (PDNS) providers to close network defense gaps.<\/p>\n<p>\u201cService providers, especially Protective DNS providers, should track, share information about, and block fast flux as part of their provided cybersecurity services,\u201d an advisory from CISA reads. \u201cGovernment and critical infrastructure organizations should close this ongoing gap in network defenses by using cybersecurity and PDNS services that block malicious fast flux activity.\u201d<\/p>\n<p>You can read the full advisory <a href=\"https:\/\/media.defense.gov\/2025\/Apr\/02\/2003681172\/-1\/-1\/0\/CSA-FAST-FLUX.PDF\">here<\/a>. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6824758842444\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/international-intelligence-agencies-raise-the-alarm-on-fast-flux-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/fast-flux-nsa-cisa-advisory-bulletproof-hosting\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>International intelligence agencies raise the alarm on fast flux |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[682,78,452,4063,117,304,288],"tags":[687,86,454,4064,119,308,294],"class_list":["post-7512","post","type-post","status-publish","format-standard","hentry","category-bulletproof-hosting","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-fast-flux","category-government","category-national-security-agency-nsa","category-threats","tag-bulletproof-hosting","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-fast-flux","tag-government","tag-national-security-agency-nsa","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bulletproof-hosting\/\" rel=\"category tag\">bulletproof hosting<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fast-flux\/\" rel=\"category tag\">fast flux<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-security-agency-nsa\/\" rel=\"category tag\">National Security Agency (NSA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7512"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7512\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7512,"date":"2025-04-03T13:46:02","date_gmt":"2025-04-03T18:46:02","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84081"},"modified":"2025-04-03T13:46:02","modified_gmt":"2025-04-03T18:46:02","slug":"international-intelligence-agencies-raise-the-alarm-on-fast-flux","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/04\/03\/international-intelligence-agencies-raise-the-alarm-on-fast-flux\/","title":{"rendered":"International intelligence agencies raise the alarm on fast flux"},"content":{"rendered":"