Hi All
Fascinating breakdown on this threat and how it works.
Standard DNS fluxing or fast-fluxing, is a technique threat actors use to rapidly rotate infrastructure by regularly changing the IP address their C2 domain points to in public DNS records. Hive0051 has adopted the novel use of multiple channels to store DNS records as opposed to a traditional DNS record configuration. In this methodology, public Telegram channels and Telegraph sites are essentially used as DNS servers and are fluxed in synchrony together with the DNS records. This enables Hive0051 to fallback to secondary channels in order to resolve the currently active C2 server, should the domain be blocked via any of the other channels.
https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/
Regards
Caute_Cautim