Fast Flux DNS Misuse Evades Easy Detection

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, a “Fast Flux” warning, Gootloader malware, an GCHQ intern pleaded guilty to stealing top secret data and Check Point undercuts hacking claim. Also, Google rolled out end-to-end encryption for some Gmail users, Apple backported patches and Dutch prosecutors cut internet access.

See Also: Top 10 Technical Predictions for 2025

Cyber agencies that form the Five Eyes intelligence alliance of English-speaking countries warned nation-state and cybercriminals have adopted content delivery network-like techniques to buttress the resilience of malicious infrastructure.

In a Thursday advisory, the agencies acknowledge that sorting out malicious use of a technique called “fast flux” from legitimate CDN traffic “remains an ongoing challenge.”

The technique allows hackers to conjoin a single malicious domain used as command and control to multiple IP addresses. Should cyber defenders block network access to one IP address, the domain name system uses another IP address to resolve the domain. In a flourish known as “double flux,” hackers also frequently rotate DNS servers, providing “an additional layer of redundancy and anonymity for malicious domains.”

The agencies advise countermeasures such as implementing anomaly detection systems for DNS queries that can detect rotating IP addresses for a single domains. “Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.” Inconsistent IP address geolocation is another tell.

Attackers behind Gootloader malware are using Google Ads to distribute their infostealing payload, targeting users searching for legal templates. A security researcher with the alias “Gootloader” – same as the malware – found the ads, placed through the U.K.-based Med Media Group, redirect victims to a malicious site, lawliner.com.

Gootloader malware previously relied on SEO poisoning to lure legal professionals to infected WordPress sites. Attackers have now set up their own infrastructure, registering domains through Cloudflare. When users click on a malicious ad, they are prompted to enter their email and receive a document link from lawyer@skhm.org. The downloaded file, disguised as a nondisclosure agreement, contains a zipped JavaScript file that, when executed, installs Gootloader.

It creates a scheduled task, runs PowerShell to collect system data and sends it to attacker-controlled domains, some of which forward information to a Russian command-and-control server.

Gootloader, active since 2014, is used for data theft and often precedes ransomware attacks. While primarily targeting law firms, the group has previously used SEO poisoning against other victims including Bengal cat enthusiasts in Australia.

A 25-year-old student at British intelligence agency Government Communications Headquarters pleaded guilty to illegally taking classified information home, the BBC reported. Hasaan Arshad admitted at London’s Old Bailey that on Aug. 24, 2022, he smuggled his phone into a secure GCHQ area, downloaded top secret data – including staff names – and transferred it to a hard drive at home.

Prosecutors say Arshad stole a highly valuable intelligence tool just two days before his year-long placement ended. Investigators later found he had also created two indecent images of a child that month, to which he pleaded guilty in 2023. Discussions on his phone referenced “bug bounties” and payments for leaked data, although he denied financial motives, claiming he acted out of curiosity.

His lawyer argued the crime was reckless, not malicious. Currently freed on bail, Arshad is banned from accessing the darkweb. Sentencing is set for June 13, with a potential prison term.

Check Point continued to reject claims from a hacker going by “CoreInjection” that the cybersecurity firm suffered a major breach. CoreInjection on Sunday posted on hacking forum BreachForums an offer to sell data including internal network maps, user credentials and proprietary source code purportedly stolen from the Israeli cybersecurity firm. Check Point was quick to dismiss the claim as “an old, known and very pinpointed event,” which involved only a few organizations and portals that do not include customers’ systems, production or security architecture (see: Check Point Breach ‘Very Pinpointed Event’).

CoreInjection followed up with another post on Tuesday asserting that he stolen the sensitive information of more than 18,000 users and a new sample of emails apparently tied to Check Point Infinity Portal usernames.

“None of the information in the post was leaked from Check Point. All of it was probably collected over time by infostealers on individuals’ devices,” Check Point responded in an email. Logging into the Infinity Portal requires multifactor authentication, the company also stressed. It was equally dismissive of a purported breach notification posted online by CoreInjection.

“Anyone can see this is a fake email, from a non-existent Check Point account, describing a breach which never occurred, violating privacy practices, using emails taken from the email bulk described above, while even misspelling Check Point’s name,” the company said.

Google introduced end-to-end encryption for Gmail enterprise users, enabling encrypted emails to be sent to any recipient without complex certificate requirements. Unlike Secure/Multipurpose Internet Mail Extensions, which demands certificate deployment and exchange, Gmail’s E2EE simplifies encryption for both IT teams and end users.

The phased rollout starts with encrypted emails within the same organization, expanding to all Gmail inboxes in the coming weeks and other email platforms later this year. Users can enable encryption with an “Additional encryption” option, and Gmail recipients with enterprise or personal accounts will see messages decrypted automatically. Non-Gmail users will receive a secure link to access messages.

Powered by Google’s client-side encryption, this model allows organizations to store encryption keys outside Google’s servers. Gmail CSE has been available for enterprise and education customers since 2023, following an earlier beta launch for Google Drive, Docs and other Workspace services.

Apple backported fixes for three actively exploited vulnerabilities to older iOS, iPadOS and macOS versions. The first, CVE-2025-24200, enabled forensic tools to bypass USB Restricted Mode on locked devices. The second, CVE-2025-24201, enabled WebKit sandbox escapes in highly sophisticated attacks. Both are now patched in iOS 16.7.11, 15.8.4 and equivalent iPadOS versions.

The third flaw, CVE-2025-24085, a Core Media privilege escalation bug, was initially fixed in January and is now patched in iPadOS 17.7.6, macOS Sonoma 14.7.5 and Ventura 13.7.5.

Alongside backports, Apple released security updates for its latest OS versions. iOS and iPadOS 18.4 address 77 flaws, including root privilege escalation CVE-2025-30456. macOS Sequoia 15.4 fixed 123 vulnerabilities, including a kernel-level arbitrary code execution flaw – CVE-2025-24228. Safari 18.4 resolved 13 WebKit issues.

The Dutch Public Prosecution Service disconnected from the internet on Friday due to a potential IT security incident. A crisis management team is investigating the situation. This action follows reports of prolonged IT issues within the service hindering judicial processes, including difficulties with email communications and accessing digital case files. The Ministry of Justice and Security is monitoring the investigation’s progress. Officials have not disclosed the nature of the incident. As of now, there are no indications that other organizations within the ministry are affected.

Other Stories From Last Week

With reporting by Information Security Media Group’s David Perera in Washington, D.C.