Sandiflux: Another botnet using Fast Flux technology has emerged



SandiFlux is a new Fast flux infrastructure has been identified. Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns.

Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.

Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.

Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.



Proofpoint said that their findings come from long-term observations of the DarkCloud botnet. DarkCloud has been using Fastflux technology since 2014. Most infected computers that makeup Dark Cloud are concentrated in Ukraine and Russia (77.4% and 14.5%, respectively).

Unlike DarkCloud, SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3%, respectively), but also a small number of other areas, such as Europe, Africa, the Middle East and southern Asia.



Similar services as SandiFlux:

Similar services are offered by operators Dark Cloud, also Fluxxy, a multi-purpose botnet, whose activities in Proofpoint have been monitored since 2014. This infrastructure allows you to quickly and automatically change IP addresses, domains and even DNS servers to extend the life of fraudulent sites, malicious sites and C & C servers .

Dark Cloud is widely used by carders , exploit-pack operators , authors of malvertising-campaigns, spammers, phishers, herdsmen and malware operators – for example, downhiller Furtim, also SFG .



Now, according to Proofpoint, some of these intruders began to migrate to SandiFlux. So, in February a new opportunity was tested by the distributor zloader – the author of malicious campaigns, which the researchers conventionally call TA547. In November, this attacker, according to observations, used the infrastructure of Dark Cloud.




Fast Flux DNS has proved to be a powerful tool for threat actors looking to hide dark web sites, malicious infrastructure, and other web-based operations from researchers and law enforcement. While DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both DarkCloud and SandiFlux are operated by the same actor who rents capabilities to other actors. GandCrab ransomware in particular now has its command and control proxied behind SandiFlux, although a number of other actors we track are making use of the infrastructure to mass their operations. While direct effects on compromised hosts include performance and bandwidth degradation, the more significant global impact is increased capacity for providing Fast Flux DNS to threat actors.



Most Popular Training Courses at Indian Cyber Security Solutions:


Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training


Cybersecurity services that can protect your company:


Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you