Authorities Disrupt APT28 Router DNS Hijacking Used to Steal Microsoft 365 Credentials
Authorities and private-sector partners disrupted an APT28 campaign known as FrostArmada that hijacked DNS traffic on compromised SOHO routers to steal Microsoft 365 credentials and OAuth tokens. Investigators said the operation abused MikroTik, TP-Link, some Nethesis, and older Fortinet devices, redirecting authentication traffic through attacker-controlled VPS infrastructure to perform adversary-in-the-middle interception. Microsoft and Lumen Black Lotus Labs traced the activity, identified victims, and supported action by the FBI, the U.S. Department of Justice, and Polish authorities to take malicious infrastructure offline. At its peak in December 2025, the campaign had infected about 18,000 devices in 120 countries and affected government agencies, law enforcement, IT and hosting providers, and organizations running their own servers.
The disruption comes amid broader warnings that Russia-linked Fancy Bear—also tracked as APT28, Forest Blizzard, and Pawn Storm—continues global cyber-espionage and disruptive operations. Recent reporting tied the group not only to router-based DNS hijacking, including abuse of TP-Link devices and exploitation of CVE-2023-50224, but also to NTLMv2 hash relay attacks leveraging Outlook flaw CVE-2023-23397 and malware activity targeting Ukraine’s defense supply chain and allied countries. Security guidance from Microsoft, the UK NCSC, researchers, and government agencies urged organizations to harden routers, patch internet-facing systems, enable MFA, reduce external exposure, remove end-of-life equipment, and adopt certificate pinning and zero-trust controls to limit credential theft and follow-on compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Trend Micro details APT28 Prismex and Outlook hash-relay activity
Trend Micro reported two notable APT28 activity clusters: a Prismex malware campaign targeting Ukraine's defense supply chain and allied countries, and NTLMv2 hash relay attacks exploiting Outlook flaw CVE-2023-23397 to steal authentication material.
Law enforcement disrupts FrostArmada infrastructure
The FBI, the U.S. Department of Justice, and the Polish government, supported by private-sector partners, took the malicious infrastructure used in the router-based DNS hijacking campaign offline.
Microsoft and Lumen map FrostArmada victims and infrastructure
Microsoft and Lumen Technologies' Black Lotus Labs analyzed the campaign, mapped its attacker-controlled VPS infrastructure, and identified victims affected by the adversary-in-the-middle credential theft activity.
FrostArmada peaks with 18,000 infected devices in 120 countries
At its peak in December 2025, the DNS hijacking operation had infected 18,000 devices across 120 countries and was targeting government agencies, law enforcement, IT and hosting providers, and organizations running their own servers.
APT28 launches FrostArmada DNS hijacking campaign
Russia-linked APT28 began a campaign dubbed FrostArmada that compromised primarily MikroTik and TP-Link SOHO routers, along with some Nethesis and older Fortinet devices, to hijack DNS traffic and intercept Microsoft 365 authentication flows for credential and OAuth token theft.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Forest Blizzard Hijacks SOHO Router DNS to Enable Adversary-in-the-Middle Attacks
Microsoft said the Russian military-linked threat actor **Forest Blizzard** (`APT28`/`Strontium`) has compromised vulnerable home and small-office routers since at least August 2025, changing DNS settings to route traffic through attacker-controlled resolvers. The campaign affected more than **200 organizations** and **5,000 consumer devices** across government, IT, telecommunications, and energy, turning edge devices into covert infrastructure and giving the actor passive visibility into victims’ DNS traffic. For selected high-value targets, the operation escalated into **adversary-in-the-middle** attacks in which spoofed DNS responses redirected users to systems presenting invalid TLS certificates for legitimate services, including **Microsoft Outlook on the web** and government servers. Microsoft said confirmed AiTM activity included non-Microsoft government targets in at least three African countries, while stressing that no Microsoft-owned assets or services were compromised; the company urged defenders to patch and harden routers, replace default credentials, audit DNS settings, and train users not to bypass certificate warnings.
Apr 15, 2026
APT28 Router DNS Hijacking Campaign Disrupted by FBI
The FBI disrupted an **APT28** operation that compromised internet-connected routers to enable **DNS hijacking**, according to reporting citing U.S. and UK government findings. The campaign abused vulnerable edge devices to alter DNS settings and redirect traffic, giving the Russian state-linked group a way to intercept victim communications, harvest credentials, and support follow-on espionage activity. The activity was significant enough to prompt public warnings from the FBI and the UK **NCSC**, which described router exploitation as a key enabler for the hijacking operations. Government guidance tied the operation to exploitation of routers exposed to the internet and urged organizations to harden perimeter infrastructure by patching devices, restricting remote administration, rotating credentials, and reviewing DNS configurations for unauthorized changes. The disclosures underscore how Russian espionage actors continue to rely on stealthy network-level tradecraft—using compromised infrastructure rather than malware alone—to persist in victim environments and covertly redirect or monitor traffic.
May 25, 2026
FBI disrupts GRU router botnets used for espionage and DNS hijacking
The FBI and Justice Department said they disrupted multiple Russian GRU operations that hijacked small office/home office routers to conceal espionage activity, proxy malicious traffic, and steal credentials. In one court-authorized action, **Operation Dying Ember**, agents remotely accessed hundreds of compromised **Ubiquiti EdgeOS** routers infected with **Moobot**, deleted malware and related files, and temporarily changed firewall rules to cut off **APT28**—also tracked as **Fancy Bear**, **Sednit**, and **Forest Blizzard**—without disrupting normal device use. Officials said the botnet had originally been built by cybercriminals abusing internet-exposed routers with default administrator passwords before being repurposed by Russia’s **GRU Unit 26165**. U.S. authorities later said a related GRU campaign also compromised SOHO routers, including **TP-Link** devices, to alter **DNS** settings and conduct adversary-in-the-middle attacks against **TLS** sessions, including Outlook traffic, in operations affecting government, IT, telecommunications, and energy targets. In **Operation Masquerade**, the FBI sent commands to infected routers to collect forensic data and reset malicious DNS configurations, removing Russian access from the devices. Microsoft and U.S. agencies linked the activity to APT28 and warned that router compromises can enable traffic redirection, credential theft, malware delivery, and denial-of-service attacks, urging organizations to patch firmware, verify DNS settings, disable unnecessary remote management, and replace end-of-life hardware.
Jun 15, 2026