APT28 Turns Vulnerable Routers into a Global DNS Hijacking and Espionage Network
scsecApril 10, 20262 Mins read 
A Russia-linked cyber espionage group, widely tracked as APT28, has been connected to a large-scale campaign targeting home and small office routers to carry out DNS hijacking and covert data collection. Active since at least mid-2025, the operation focuses on exploiting insecure edge devices to gain long-term, low-visibility access to network traffic.
The campaign, dubbed FrostArmada, involved compromising routers from brands such as MikroTik and TP-Link by exploiting known vulnerabilities and weak configurations. Once access was gained, attackers modified DNS settings, forcing infected devices to route internet traffic through malicious servers under their control.
This manipulation allowed the attackers to intercept and monitor network activity without requiring any direct interaction from victims. When users attempted to access legitimate websites—such as email or login portals—the requests were silently redirected to attacker-controlled infrastructure. Through these attacker-in-the-middle techniques, sensitive data including login credentials, passwords, and authentication tokens could be captured and exfiltrated.
At its peak in late 2025, the campaign involved over 18,000 compromised IP addresses across more than 120 countries, highlighting its global scale. The targets primarily included government institutions, law enforcement bodies, ministries of foreign affairs, and organizations linked to critical infrastructure, as well as cloud and email service providers.
Investigations revealed that attackers leveraged compromised routers as a stepping stone, enabling them to monitor upstream traffic and potentially pivot into larger enterprise environments. By controlling DNS resolution at the network edge, they achieved persistent and passive visibility into communications, making the attack both efficient and difficult to detect.
The operation also marked a significant evolution in tactics, representing one of the first known large-scale uses of DNS hijacking to facilitate attacker-in-the-middle attacks against encrypted web traffic. In some cases, malicious domains mimicked legitimate services to trick users into unknowingly providing credentials.
Authorities, including international law enforcement agencies, successfully disrupted parts of the infrastructure through a coordinated operation known as Operation Masquerade. This effort dismantled sections of the malicious network and reduced its operational reach.
Technical analysis further indicated that attackers exploited vulnerabilities in specific router models to bypass authentication and extract stored credentials. Compromised devices were then used to redirect DNS queries to attacker-controlled servers, where traffic was filtered and selectively targeted based on intelligence value.
Overall, the campaign demonstrates how nation-state actors are increasingly targeting less-secured edge devices to build scalable surveillance systems. By exploiting widely used consumer and small business hardware, attackers can create powerful and stealthy platforms for global cyber espionage while remaining largely undetected.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Outdated Systems and Vulnerable Apps Leave Most Enterprises Exposed to Cyberattacks
A recent security analysis highlights a widespread problem in enterprise environments: many...
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks
Iran-Linked Hackers Target U.S. Critical Infrastructure via Internet-Exposed PLCs Iran-affiliated cyber actors...
Cybercrime, FBI IC3, Investment Fraud, Ransomware, Cryptocurrency Scams
FBI Reports Cybercrime Losses Nearly $21 Billion in 2025 The FBI’s Internet...
Cybersecurity Alert: Android Rootkit, ChatGPT Data Leak, and Ransomware Strikes Highlight Global Threats
Weekly Cybersecurity Roundup: ChatGPT Data Leak, Android Rootkit, and Ransomware Hits SecurityWeek’s...
This campaign highlights a dangerous shift toward targeting everyday network devices as entry points for large-scale espionage. By exploiting weakly secured routers, attackers can silently intercept sensitive data without alerting end users. It’s a strong reminder to regularly update router firmware, change default credentials, and monitor network configurations to reduce the risk of such stealthy compromises.