Infoblox Links Global Router DNS Hijacking to Aeza International Bulletproof Hosting
Infoblox researchers reported a widespread DNS hijacking campaign targeting outdated consumer/home routers across more than three dozen countries, where attackers compromise devices and change router-level DNS settings to silently redirect all connected users’ traffic. The manipulated DNS queries are sent to malicious resolvers hosted by Aeza International, a Russian bulletproof hosting provider that the US sanctioned in July 2025, allowing threat actors to control where victims are routed while keeping common destinations working to reduce suspicion.
The infrastructure reportedly uses a two-stage redirection chain: DNS traffic is forwarded into an HTTP-based Traffic Distribution System (TDS) that first verifies the request originates from a compromised router and then fingerprints/filters victims before sending them onward—often into advertising/affiliate networks that can lead to scams or malicious sites. Analysts also described an evasion behavior where the rogue resolvers may only respond under specific query conditions (e.g., when EDNS0 is disabled), complicating reproduction and detection; user-visible symptoms included selective site failures and persistent redirects that victims often misattributed to endpoints rather than the router.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
UK NCSC attributes router hijacking campaign to APT28
The UK National Cyber Security Centre warned that the Russian state-linked group APT28 had been compromising vulnerable SOHO routers since 2024, manipulating DNS and DHCP settings to redirect traffic through attacker-controlled infrastructure for adversary-in-the-middle spying and credential theft. The advisory said the activity affected devices including TP-Link and MikroTik routers and appeared initially opportunistic before focusing on selected targets, including some in Ukraine.
Infoblox identifies and discloses the shadow DNS campaign
Infoblox analysts correlated user complaints about abnormal browsing with anomalous DNS patterns and revealed that the campaign used Aeza-hosted resolvers, an HTTP-based traffic distribution system, and EDNS0 evasion to avoid detection. Researchers recommended auditing router DNS settings, updating firmware, and replacing unsupported hardware.
Attackers hijack outdated home routers' DNS settings
In a long-running global campaign, attackers compromised vulnerable end-of-life home routers and changed their DNS settings, affecting users in more than three dozen countries. The altered settings redirected all devices behind the routers through malicious resolvers while often leaving normal browsing behavior seemingly unchanged.
U.S. sanctions Aeza International
The U.S. government sanctioned Aeza International, a Russian bulletproof hosting provider later linked to malicious DNS resolvers used in the router hijacking campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Russian hackers hijack internet traffic using vulnerable routers - Help Net Security
helpnetsecurity.com
Open sourceGlobal DNS hijacking campaign exploits old home routers | SC Media
scworld.com
Open sourceSanctioned Bulletproof Host Linked to Hijacking of Old Home Routers
hackread.com
Open sourceShadow DNS Hacking Routers Internet Traffic Through Compromised Routers
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Router DNS Hijacking Campaign Disrupted by FBI
The FBI disrupted an **APT28** operation that compromised internet-connected routers to enable **DNS hijacking**, according to reporting citing U.S. and UK government findings. The campaign abused vulnerable edge devices to alter DNS settings and redirect traffic, giving the Russian state-linked group a way to intercept victim communications, harvest credentials, and support follow-on espionage activity. The activity was significant enough to prompt public warnings from the FBI and the UK **NCSC**, which described router exploitation as a key enabler for the hijacking operations. Government guidance tied the operation to exploitation of routers exposed to the internet and urged organizations to harden perimeter infrastructure by patching devices, restricting remote administration, rotating credentials, and reviewing DNS configurations for unauthorized changes. The disclosures underscore how Russian espionage actors continue to rely on stealthy network-level tradecraft—using compromised infrastructure rather than malware alone—to persist in victim environments and covertly redirect or monitor traffic.
May 25, 2026
Forest Blizzard Hijacks SOHO Router DNS to Enable Adversary-in-the-Middle Attacks
Microsoft said the Russian military-linked threat actor **Forest Blizzard** (`APT28`/`Strontium`) has compromised vulnerable home and small-office routers since at least August 2025, changing DNS settings to route traffic through attacker-controlled resolvers. The campaign affected more than **200 organizations** and **5,000 consumer devices** across government, IT, telecommunications, and energy, turning edge devices into covert infrastructure and giving the actor passive visibility into victims’ DNS traffic. For selected high-value targets, the operation escalated into **adversary-in-the-middle** attacks in which spoofed DNS responses redirected users to systems presenting invalid TLS certificates for legitimate services, including **Microsoft Outlook on the web** and government servers. Microsoft said confirmed AiTM activity included non-Microsoft government targets in at least three African countries, while stressing that no Microsoft-owned assets or services were compromised; the company urged defenders to patch and harden routers, replace default credentials, audit DNS settings, and train users not to bypass certificate warnings.
Apr 15, 2026
Authorities Disrupt APT28 Router DNS Hijacking Used to Steal Microsoft 365 Credentials
Authorities and private-sector partners disrupted an **APT28** campaign known as **FrostArmada** that hijacked DNS traffic on compromised SOHO routers to steal Microsoft 365 credentials and OAuth tokens. Investigators said the operation abused **MikroTik**, **TP-Link**, some **Nethesis**, and older **Fortinet** devices, redirecting authentication traffic through attacker-controlled VPS infrastructure to perform adversary-in-the-middle interception. Microsoft and Lumen Black Lotus Labs traced the activity, identified victims, and supported action by the **FBI**, the **U.S. Department of Justice**, and Polish authorities to take malicious infrastructure offline. At its peak in December 2025, the campaign had infected about **18,000 devices in 120 countries** and affected government agencies, law enforcement, IT and hosting providers, and organizations running their own servers. The disruption comes amid broader warnings that Russia-linked **Fancy Bear**—also tracked as **APT28**, **Forest Blizzard**, and **Pawn Storm**—continues global cyber-espionage and disruptive operations. Recent reporting tied the group not only to router-based DNS hijacking, including abuse of TP-Link devices and exploitation of **`CVE-2023-50224`**, but also to **NTLMv2** hash relay attacks leveraging Outlook flaw **`CVE-2023-23397`** and malware activity targeting Ukraine’s defense supply chain and allied countries. Security guidance from Microsoft, the UK NCSC, researchers, and government agencies urged organizations to harden routers, patch internet-facing systems, enable MFA, reduce external exposure, remove end-of-life equipment, and adopt certificate pinning and zero-trust controls to limit credential theft and follow-on compromise.
Apr 10, 2026