Storm-2754

Storm-2754 is the Microsoft-tracked component of Forest Blizzard associated with a campaign exploiting vulnerable SOHO and home routers since at least August 2025. Forest Blizzard is described in the source content as a Russian military-linked threat actor that primarily conducts intelligence collection in support of Russian government foreign policy initiatives. In this activity, Storm-2754/Forest Blizzard compromised routers and modified DNS settings to use actor-controlled resolvers, causing thousands of downstream devices to send DNS requests to malicious infrastructure. Microsoft reported more than 200 organizations and 5,000 consumer devices affected, including victims in government, information technology, telecommunications, and energy sectors. Microsoft assessed that this activity provided persistent, passive reconnaissance visibility at scale and enabled selective adversary-in-the-middle operations. The actor was assessed as almost certainly using the legitimate dnsmasq utility to perform DNS resolution and listen on port 53. In most observed cases, DNS requests were transparently proxied to legitimate services, but in a limited number of targeted compromises the actor spoofed DNS responses for selected domains and redirected victims to actor-controlled infrastructure. Microsoft observed spoofing of Microsoft Outlook on the web and separate AiTM activity targeting non-Microsoft-hosted servers in at least three government organizations in Africa. In those cases, invalid TLS certificates were presented; if victims ignored certificate warnings, the actor could intercept plaintext traffic within the TLS session. Microsoft stated this was the first observed instance of Forest Blizzard using DNS hijacking at scale to support TLS AiTM operations after exploiting edge devices. Known alias in the provided content: Storm-2754. The activity is explicitly linked to Forest Blizzard.