Forest Blizzard Hijacks SOHO Router DNS to Enable Adversary-in-the-Middle Attacks
Microsoft said the Russian military-linked threat actor Forest Blizzard (APT28/Strontium) has compromised vulnerable home and small-office routers since at least August 2025, changing DNS settings to route traffic through attacker-controlled resolvers. The campaign affected more than 200 organizations and 5,000 consumer devices across government, IT, telecommunications, and energy, turning edge devices into covert infrastructure and giving the actor passive visibility into victims’ DNS traffic.
For selected high-value targets, the operation escalated into adversary-in-the-middle attacks in which spoofed DNS responses redirected users to systems presenting invalid TLS certificates for legitimate services, including Microsoft Outlook on the web and government servers. Microsoft said confirmed AiTM activity included non-Microsoft government targets in at least three African countries, while stressing that no Microsoft-owned assets or services were compromised; the company urged defenders to patch and harden routers, replace default credentials, audit DNS settings, and train users not to bypass certificate warnings.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
FBI, NSA, and 15-country partners issue router security guidance
Following the disruption of the GRU-linked router botnet, the FBI, NSA, and partners from 15 countries issued a public service announcement urging users to replace unsupported routers, update firmware, verify DNS settings, disable internet-exposed remote management, and change default credentials. The guidance was aimed at reducing continued risk from compromised SOHO routers used in the APT28/Forest Blizzard espionage campaign.
Germany's BfV warns APT28 compromised routers in Germany
On April 8, 2026, Germany's Federal Office for the Protection of the Constitution, together with BND and the FBI, warned that APT28 had compromised vulnerable TP-Link routers for espionage. The agency said several thousand routers were targeted worldwide, including about 30 vulnerable devices in Germany, and confirmed some compromises that led operators to replace affected routers.
UK NCSC discloses two APT28 router-based credential theft campaigns
The UK National Cyber Security Centre warned of two Russian-linked APT28/Forest Blizzard campaigns abusing compromised SOHO routers for DNS hijacking and adversary-in-the-middle credential theft. It said one cluster altered DHCP DNS settings while another used compromised MikroTik and TP-Link routers to forward DNS traffic through actor-controlled infrastructure, including activity focused on MikroTik routers in Ukraine.
FBI resets malicious DNS settings on compromised TP-Link routers
As part of Operation Masquerade, the FBI carried out a court-authorized technical operation against the U.S. portion of the APT28/Forest Blizzard router network, resetting malicious DNS settings on compromised TP-Link SOHO routers to legitimate ISP resolvers and blocking the attackers’ original access method. The DOJ said affected routers were located in more than 23 U.S. states and that the action was designed not to disrupt normal router functionality or collect users’ content.
DOJ, FBI, and partners disrupt APT28 malicious infrastructure
A joint operation involving the U.S. Department of Justice, the FBI, and international partners disrupted the malicious infrastructure used in the APT28/Forest Blizzard DNS hijacking campaign. The action targeted infrastructure supporting the compromise of SOHO routers and downstream espionage activity.
Microsoft publicly discloses the campaign and attribution
On April 7, 2026, Microsoft Threat Intelligence publicly reported the campaign, attributing it to Forest Blizzard, a Russian military-linked threat actor also known as APT28 or Strontium. Microsoft said it was the first observed instance of the group using DNS hijacking at scale to support TLS AiTM operations after edge-device exploitation and noted no Microsoft-owned assets or services were compromised.
Forest Blizzard conducts selective AiTM attacks via spoofed DNS responses
In selected cases, the actor escalated from passive DNS collection to adversary-in-the-middle attacks by spoofing DNS responses for Outlook on the web and certain government servers, including activity affecting targets in at least three African nations. Victims were presented invalid TLS certificates, allowing interception of plaintext traffic if certificate warnings were ignored.
DNS hijacking campaign affects thousands of devices and hundreds of organizations
Over the course of the campaign, the router compromises led to DNS hijacking impacting more than 200 organizations and 5,000 consumer devices across government, IT, telecommunications, and energy sectors. Microsoft said this represented large-scale abuse of edge devices for downstream victim visibility.
FrostArmada peaks with 18,000 infected routers across 120 countries
At its peak in December 2025, the APT28-attributed FrostArmada campaign had compromised about 18,000 MikroTik and TP-Link SOHO routers in 120 countries. The operation primarily targeted government agencies, law enforcement organizations, and IT providers by altering DNS settings to enable adversary-in-the-middle credential and token theft.
Forest Blizzard begins exploiting vulnerable SOHO routers
Since at least August 2025, Microsoft assessed that Forest Blizzard began compromising vulnerable home and small-office routers and changing their DNS settings to actor-controlled resolvers. The activity turned the devices into covert malicious infrastructure for intelligence collection.
APT28 begins router campaign exploiting TP-Link flaw CVE-2023-50224
The IC3 advisory says Russian GRU actors behind APT28/Forest Blizzard had been exploiting vulnerable SOHO routers worldwide since at least 2024, including TP-Link devices vulnerable to CVE-2023-50224. The compromises enabled changes to DHCP and DNS settings that supported later DNS hijacking and adversary-in-the-middle operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
27 references tracked. Mallory keeps watching after this page renders.
FBI urges router owners to update firmware after Russian GRU hack | Fox Business
foxbusiness.com
Open sourceLe FBI met en garde : votre routeur pourrait être vulnérable aux ...
zdnet.fr
Open sourceYour router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now | ZDNET
zdnet.com
Open sourceInside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ | CyberScoop
cyberscoop.com
Open sourceRussia's APT28 behind latest wave of router, DNS attacks • The Register
go.theregister.com
Open sourceRussia Hacked Routers to Steal Microsoft Office Tokens - Krebs on Security
krebsonsecurity.com
Open sourceSOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks | Microsoft Security Blog
microsoft.com
Open sourceFrostarmada forest blizzard dns hijacking
lumen.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Authorities Disrupt APT28 Router DNS Hijacking Used to Steal Microsoft 365 Credentials
Authorities and private-sector partners disrupted an **APT28** campaign known as **FrostArmada** that hijacked DNS traffic on compromised SOHO routers to steal Microsoft 365 credentials and OAuth tokens. Investigators said the operation abused **MikroTik**, **TP-Link**, some **Nethesis**, and older **Fortinet** devices, redirecting authentication traffic through attacker-controlled VPS infrastructure to perform adversary-in-the-middle interception. Microsoft and Lumen Black Lotus Labs traced the activity, identified victims, and supported action by the **FBI**, the **U.S. Department of Justice**, and Polish authorities to take malicious infrastructure offline. At its peak in December 2025, the campaign had infected about **18,000 devices in 120 countries** and affected government agencies, law enforcement, IT and hosting providers, and organizations running their own servers. The disruption comes amid broader warnings that Russia-linked **Fancy Bear**—also tracked as **APT28**, **Forest Blizzard**, and **Pawn Storm**—continues global cyber-espionage and disruptive operations. Recent reporting tied the group not only to router-based DNS hijacking, including abuse of TP-Link devices and exploitation of **`CVE-2023-50224`**, but also to **NTLMv2** hash relay attacks leveraging Outlook flaw **`CVE-2023-23397`** and malware activity targeting Ukraine’s defense supply chain and allied countries. Security guidance from Microsoft, the UK NCSC, researchers, and government agencies urged organizations to harden routers, patch internet-facing systems, enable MFA, reduce external exposure, remove end-of-life equipment, and adopt certificate pinning and zero-trust controls to limit credential theft and follow-on compromise.
Apr 10, 2026
Infoblox Links Global Router DNS Hijacking to Aeza International Bulletproof Hosting
Infoblox researchers reported a widespread **DNS hijacking** campaign targeting **outdated consumer/home routers** across **more than three dozen countries**, where attackers compromise devices and change router-level DNS settings to silently redirect all connected users’ traffic. The manipulated DNS queries are sent to malicious resolvers hosted by **Aeza International**, a **Russian bulletproof hosting provider** that the US sanctioned in **July 2025**, allowing threat actors to control where victims are routed while keeping common destinations working to reduce suspicion. The infrastructure reportedly uses a **two-stage redirection chain**: DNS traffic is forwarded into an **HTTP-based Traffic Distribution System (TDS)** that first verifies the request originates from a compromised router and then fingerprints/filters victims before sending them onward—often into **advertising/affiliate networks** that can lead to **scams or malicious sites**. Analysts also described an evasion behavior where the rogue resolvers may only respond under specific query conditions (e.g., when **EDNS0** is disabled), complicating reproduction and detection; user-visible symptoms included selective site failures and persistent redirects that victims often misattributed to endpoints rather than the router.
Apr 7, 2026
FBI disrupts GRU router botnets used for espionage and DNS hijacking
The FBI and Justice Department said they disrupted multiple Russian GRU operations that hijacked small office/home office routers to conceal espionage activity, proxy malicious traffic, and steal credentials. In one court-authorized action, **Operation Dying Ember**, agents remotely accessed hundreds of compromised **Ubiquiti EdgeOS** routers infected with **Moobot**, deleted malware and related files, and temporarily changed firewall rules to cut off **APT28**—also tracked as **Fancy Bear**, **Sednit**, and **Forest Blizzard**—without disrupting normal device use. Officials said the botnet had originally been built by cybercriminals abusing internet-exposed routers with default administrator passwords before being repurposed by Russia’s **GRU Unit 26165**. U.S. authorities later said a related GRU campaign also compromised SOHO routers, including **TP-Link** devices, to alter **DNS** settings and conduct adversary-in-the-middle attacks against **TLS** sessions, including Outlook traffic, in operations affecting government, IT, telecommunications, and energy targets. In **Operation Masquerade**, the FBI sent commands to infected routers to collect forensic data and reset malicious DNS configurations, removing Russian access from the devices. Microsoft and U.S. agencies linked the activity to APT28 and warned that router compromises can enable traffic redirection, credential theft, malware delivery, and denial-of-service attacks, urging organizations to patch firmware, verify DNS settings, disable unnecessary remote management, and replace end-of-life hardware.
Jun 15, 2026