In what some experts are calling a “big-time wakeup call” to security teams globally, a joint advisory was issued April 3 by government officials in the United States, Australia, Canada, and New Zealand warning that threat actors are using the well-known “fast flux” technique to change domain name system (DNS) records, evade detection, and compromise enterprise networks.
The National Security Agency (NSA), Cybersecurity Infrastructure and Security Agency (CISA), and the FBI are so adamant about the increased use and sophistication of fast flux among threat actors, they have deemed it a “significant threat to national security.”
While fast flux has been around since at least 2007, the technique’s recent resurgence and the attention it’s getting now highlight a shift in how threat actors leverage it. Security pros say what makes today’s advisory stand out is the scale and sophistication of its use by nation-state actors and cybercriminals.
“Fast flux isn’t just about hiding malicious infrastructure anymore—it’s about creating a resilient, almost bulletproof command-and-control (C2) system that’s harder to disrupt,” explained Casey Ellis, founder of Bugcrowd. “That’s a big deal, especially for sectors like defense, where the stakes are incredibly high. This isn’t a routine warning. It’s a call to action for organizations to step up their game and treat fast flux as the serious, evolving threat that it is.”
Ellis pointed out that the timing of the advisory likely reflects two developments: First, we’re seeing an uptick in fast flux being used in active campaigns, particularly by advanced persistent threats (APT) groups. Second, it’s a recognition that traditional defenses aren’t keeping up: The NSA, CISA, and the FBI are signaling that this isn’t just a technical nuisance—it’s a national security issue that demands immediate attention, said Ellis.
Although the advisory specifically mentions ransomware gangs and Russian APT groups, the use of fast flux is not confined to these actors. Other nation-state entities and organized cybercriminal groups have also adopted this method to bolster their malicious operations, reflecting its widespread appeal among various adversaries.
For example, the Storm botnet of 2007 used fast flux to obscure the locations of its command-and-control servers, the GameOver peer-to-peer variant of the Zeus malware family leveraged fast flux techniques to evade detection and takedown, and the more recent Gamaredon Group has been observed using DNS fast flux to conceal its staging infrastructure.
“This advisory is not routine,” said Callie Guenther, senior manager of cyber threat research at Critical Start. “It identifies a persistent tactic now embedded in adversary operations and warns of a capability gap among defensive services. Organizations should not assume fast flux is being detected or mitigated by default. Validation of DNS monitoring capabilities and engagement with service providers is necessary."
Guenther, an SC Media columnist, said based on the NSA's report and her own threat intelligence, fast flux is no longer peripheral. It's part of the infrastructure layer that enables long-term access, control, and disruption, and should be prioritized accordingly in both defensive strategy and threat intelligence analysis.
Fast flux has long been documented as a DNS evasion technique, said Guenther, but its integration into the operations of both ransomware groups like Hive and Netfilim and state-sponsored actors like Gamaredon reflects a broader trend: adversaries are operationalizing infrastructure that’s designed to persist, evade detection, and resist takedown. The technique supports command and control channels by rotating IP addresses and DNS records at high frequency, complicating attribution and mitigation efforts.
“From a cybersecurity standpoint, fast flux presents detection challenges: dynamic IP rotation, low TTL values, and geolocation inconsistencies are difficult to separate from legitimate content delivery behavior,” said Guenther. “However, from an intelligence perspective, fast flux provides operational cover for threat actors. It impedes attribution, disrupts forensic investigations, and supports the longevity of campaigns in contested environments.”
Guenther added that the advisory specifically warns that many Protective DNS (PDNS) services are not configured to detect or mitigate fast flux, creating a blind spot in network defenses. She said the timing of this advisory reflects shifts in threat actor behavior. Guenther said the bulletproof hosting providers are now marketing fast flux capabilities on underground forums as a service feature, adding that this development lowers the technical barrier for deploying resilient infrastructure and enables a wider set of actors to evade detection.
John DiLullo, chief executive officer of Deepwatch, added that his team thinks today’s advisory will hit many companies "like a double espresso."
“Any enterprise relying on IP reputation as a credible means of securing their infrastructure or proprietary data is a soft target for this type of exploit,” said DiLullo. “Fortunately, correlative detection techniques, especially those leveraging ‘low and slow’ machine learning methods can defeat these intrusions handily, but many companies' infrastructures simply aren't there yet. This is a big-time wakeup call.”
