On the Move Fast Flux in the Modern Threat Landscape

Executive summary

This report details an investigation into a Fast Flux network observed in 2024. It covers the technical details of the network, its observable infrastructure, the malware associated with it, and its presence on the dark web.

• Observed 193 domains in 2024, 42 of which were used as nameservers.
• Tracked 2960 unique IP addresses, with 82% originating from 10 countries.
• Mapped the IPs into Internet Service Providers, indicating the use of residential IPs.
• Service is associated with the 2016 Dark Cloud/Sandiflux botnet.
• Classified 87 client domains: 44 as C2s, 27 as droppers, and 16 as websites.
• Darkweb shows activity related to fast flux services dating back to 2008.
• In 2024, at least four Bullet Proof Hosting (BPH) services announced fast flux, with prices starting in the low hundreds of dollars per domain.

For the complete article, visit: Bitsight.