Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

Summary

Russian state-linked APT28 (Forest Blizzard) compromised over 18,000 SOHO routers across 120+ countries since May 2025 in a campaign codenamed FrostArmada, modifying DNS settings to hijack traffic and conduct man-in-the-middle attacks. The campaign targeted government agencies and enterprise email/cloud providers, stealing credentials including OAuth tokens through malicious DNS redirection. Joint U.S. and international law enforcement disrupted the infrastructure in early 2026.

Full text

Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign Ravie LakshmananApr 07, 2026Network Security / Botnet The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed FrostArmada by Lumen's Black Lotus Labs, with Microsoft describing it as an effort to exploit vulnerable home and small office (SOHO) internet devices to hijack DNS traffic and enable passive collection of network data. "Their technique modified DNS settings on compromised routers to hijack local network traffic to capture and exfiltrate authentication credentials," Black Lotus Labs said in a report shared with The Hacker News. "When targeted domains were requested by a user, the actor redirected traffic to an attacker-in-the-middle (AitM) node, where those credentials were harvested and exfiltrated. This approach enabled a nearly invisible attack that required no interaction from the end user." The infrastructure associated with the campaign has been disrupted and taken offline as part of a joint operation in collaboration with the U.S. Department of Justice, Federal Bureau of Investigation, and other international partners. The activity is assessed to have commenced as far back as May 2025 in a limited capacity, followed by widespread router exploitation and DNS redirection commencing in early August. At its peak in December 2025, more than 18,000 unique IP addresses from no less than 120 countries were found communicating with APT28 infrastructure. These efforts primarily singled out government agencies, such as ministries of foreign affairs, law enforcement, and third-party email and cloud service providers across North African, Central American, Southeast Asian, and European countries. The Microsoft Threat Intelligence team, in its analysis of the campaign, attributed the activity to APT28 and its sub-group tracked as Storm-2754. The tech giant said it identified more than 200 organizations and 5,000 consumer devices impacted by the threat actor's malicious DNS infrastructure. "For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale," Redmond said. "By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments." The DNS hijacking activity has also facilitated AitM attacks that made it possible to facilitate the theft of passwords, OAuth tokens, and other credentials for web and email-related services, putting organizations at risk of broader compromise. The development marks the first time the adversarial collective has been observed using DNS hijacking at scale to support AiTM of Transport Layer Security (TLS) connections after exploiting edge devices, Microsoft added. At a high level, the attack chain involves APT28 gaining remote administrative access to SOHO devices and changing default network configurations to use DNS resolvers under its control. The malicious reconfiguration causes the devices to send their DNS requests to actor-controlled servers. This, in turn, causes DNS lookups for email applications or login pages to be resolved by the malicious DNS server. The threat actor then attempts to conduct AitM attacks against those connections to steal user account credentials by tricking the victims into connecting to malicious infrastructure. Some of these domains are associated with Microsoft Outlook on the web. Microsoft said it also identified AitM activity aimed at non-Microsoft hosted servers in at least three government organizations in Africa. "It is believed that the DNS hijacking operations are opportunistic in nature, with the actor gaining visibility of a large pool of candidate target users then filtering down users at each stage in the exploitation chain to triage for victims of likely intelligence value," the U.K. National Cyber Security Centre (NCSC) said. APT28 is said to have exploited TP-Link WR841N routers for its DNS poisoning operations by likely taking advantage of CVE-2023-50224 (CVSS score: 6.5), an authentication bypass vulnerability that could be used to extract stored credentials via specially crafted HTTP GET requests. A second cluster of servers has been found to receive DNS requests via compromised routers and subsequently forward them to remote actor-owned servers. This cluster is also assessed to have engaged in interactive operations targeting a small number of MikroTik routers located in Ukraine. "Forest Blizzard's DNS hijacking and AitM activity allows the actor to conduct DNS collection on sensitive organizations worldwide and is consistent with the actor's longstanding remit to collect espionage against priority intelligence targets," Microsoft said. "Although we have only observed Forest Blizzard utilizing their DNS hijacking campaign for information collection, an attacker could use an AiTM position for additional outcomes, such as malware deployment or denial of service." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  APT28, botnet, cyber espionage, DNS hijacking, DOJ, Fancy Bear, FBI, Forest Blizzard, Lumen Technologies, Microsoft, network security, Threat Intelligence Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• cve — CVE-2023-50224
• malware — APT28
• malware — Storm-2754

Entities