Tuesday, April 22, 2025
HomeBotnetSandiFlux - Hackers using Fast Flux Method in Wild For Malware Distribution

SandiFlux – Hackers using Fast Flux Method in Wild For Malware Distribution

Published on

SIEM as a Service

Follow Us on Google News

Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns. A new Fast flux infrastructure has been identified named as SandiFlux.

Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.

Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.

- Advertisement - Google News

Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.

DarkCloud/Fluxxy botnet is centralized in Ukraine and Russia (77.4% and 14.5%), whereas SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3% of the botnet, respectively) also from other countries including Europe, Africa, the Middle East, and southern Asia.
Sandiflux
Sandiflux Heatmap

Starting from March 27, 2018, researchers spotted GandCrab ransomware C&C servers uses proxified SandiFlux infrastructure.

Sandiflux
Grandcrab proxified C&C communication

Although we have not observed a single overlap between DarkCloud and SandiFlux in the last four months, we cannot confirm that the two infrastructures are unrelated,” researchers said.

DarkCloud botnet was first uncovered in 2016 and it continues to expand, the botnet contains a huge number of name servers and it continues to change IP every minute to avoid detection.

Researchers concluded that “DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both are operated by the same actor who rents capabilities to other actors“.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks

In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious...

Samsung One UI Vulnerability Leaks Sensitive Data in Plain Text With No Expiration!

A glaring vulnerability has come to light within Samsung's One UI interface: the clipboard...

New Rust-Based Botnet Hijacks Routers to Inject Remote Commands

A new malware named "RustoBot" has been discovered exploiting vulnerabilities in various router models...

Latest Lumma InfoStealer Variant Found Using Code Flow Obfuscation

Researchers have uncovered a sophisticated new variant of the notorious Lumma InfoStealer malware, employing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Rust-Based Botnet Hijacks Routers to Inject Remote Commands

A new malware named "RustoBot" has been discovered exploiting vulnerabilities in various router models...

FBI Alerts Public to Scammers Posing as IC3 Officials in Fraud Scheme

The Federal Bureau of Investigation (FBI) has issued a warning regarding an emerging scam...

New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have unveiled a new malware process injection technique dubbed "Waiting Thread Hijacking"...