FBI disrupts GRU router botnets used for espionage and DNS hijacking
The FBI and Justice Department said they disrupted multiple Russian GRU operations that hijacked small office/home office routers to conceal espionage activity, proxy malicious traffic, and steal credentials. In one court-authorized action, Operation Dying Ember, agents remotely accessed hundreds of compromised Ubiquiti EdgeOS routers infected with Moobot, deleted malware and related files, and temporarily changed firewall rules to cut off APT28—also tracked as Fancy Bear, Sednit, and Forest Blizzard—without disrupting normal device use. Officials said the botnet had originally been built by cybercriminals abusing internet-exposed routers with default administrator passwords before being repurposed by Russia’s GRU Unit 26165.
U.S. authorities later said a related GRU campaign also compromised SOHO routers, including TP-Link devices, to alter DNS settings and conduct adversary-in-the-middle attacks against TLS sessions, including Outlook traffic, in operations affecting government, IT, telecommunications, and energy targets. In Operation Masquerade, the FBI sent commands to infected routers to collect forensic data and reset malicious DNS configurations, removing Russian access from the devices. Microsoft and U.S. agencies linked the activity to APT28 and warned that router compromises can enable traffic redirection, credential theft, malware delivery, and denial-of-service attacks, urging organizations to patch firmware, verify DNS settings, disable unnecessary remote management, and replace end-of-life hardware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Researchers detail APT28's large router-and-cloud attack infrastructure
Sekoia reported that APT28/Fancy Bear had shifted heavily to compromised SOHO routers, consumer edge devices, and cloud services, with a peak in December 2025 of more than 18,000 IP addresses across 120 countries communicating with actor-controlled servers. The report also described about 200 affected organizations, roughly 5,000 consumer devices, DNS interception activity against services such as Microsoft 365, and tooling including LameHug and the BeardShell backdoor.
DOJ announces Operation Masquerade against GRU router campaign
The U.S. Justice Department announced that the FBI's Operation Masquerade disrupted a GRU campaign that hijacked SOHO routers, including TP-Link devices, to alter DNS settings and steal data. The FBI sent commands to compromised routers to collect forensic information and reset malicious DNS configurations, cutting off Russian access.
NSA backs FBI warning on Russian GRU router threats
The NSA published a press release supporting the FBI in highlighting Russian GRU threats against routers, underscoring the national security risk posed by the campaign. The statement accompanied broader public disclosure of the activity.
Microsoft observes GRU router compromises from at least August 2025
Microsoft said the GRU-linked actor APT28/Fancy Bear/Forest Blizzard had been compromising routers since at least August 2025 to enable large-scale DNS hijacking and adversary-in-the-middle attacks. The company observed data theft affecting sectors including government, IT, telecommunications, and energy.
GRU begins DNS-hijacking router campaign tracked by U.S. prosecutors
U.S. prosecutors said a separate GRU campaign abusing hacked SOHO routers to redirect DNS traffic and steal sensitive data had been underway since at least 2024. The activity targeted victims including governments and critical infrastructure operators.
FBI warns Kremlin-backed hackers are targeting SOHO routers
U.S. authorities publicly warned that Russian and Chinese state-backed actors were compromising small office/home office routers, including Ubiquiti devices, to support covert operations. The warning followed the February botnet disruption and highlighted ongoing router-focused threats.
FBI disrupts GRU's Moobot-based router botnet
In the court-authorized Operation Dying Ember, the FBI remotely accessed hundreds of compromised Ubiquiti routers used by GRU Unit 26165 (APT28/Fancy Bear), deleted Moobot and related malicious files, and temporarily changed firewall rules to block Russian access. The Justice Department announced the disruption on February 15, 2024.
Cybercriminals build Moobot botnet on exposed Ubiquiti routers
Unrelated cybercriminals initially created a botnet by infecting Internet-exposed Ubiquiti EdgeOS SOHO routers running with default administrator passwords using Moobot malware. This botnet was later repurposed by Russia's GRU for espionage operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
黑客组织Fancy Bear滥用边缘路由器与云服务发起隐秘网络攻击 - FreeBuf网络安全行业门户
freebuf.com
Open sourceUS operation evicts Russia from hacked SOHO routers used to breach critical infrastructure | Cybersecurity Dive
cybersecuritydive.com
Open sourceNSA Supports FBI in Highlighting Russian GRU Threats Against Routers > National Security Agency/Central Security Service > Press Release View
nsa.gov
Open sourceHackers backed by Russia and China are infecting SOHO routers like yours, FBI warns - Ars Technica
arstechnica.com
Open sourceFeds go Fancy Bear hunting, take down Russia's GRU botnet
theregister.com
Open sourceFBI disrupts Russian Moobot botnet infecting Ubiquiti routers
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Router DNS Hijacking Campaign Disrupted by FBI
The FBI disrupted an **APT28** operation that compromised internet-connected routers to enable **DNS hijacking**, according to reporting citing U.S. and UK government findings. The campaign abused vulnerable edge devices to alter DNS settings and redirect traffic, giving the Russian state-linked group a way to intercept victim communications, harvest credentials, and support follow-on espionage activity. The activity was significant enough to prompt public warnings from the FBI and the UK **NCSC**, which described router exploitation as a key enabler for the hijacking operations. Government guidance tied the operation to exploitation of routers exposed to the internet and urged organizations to harden perimeter infrastructure by patching devices, restricting remote administration, rotating credentials, and reviewing DNS configurations for unauthorized changes. The disclosures underscore how Russian espionage actors continue to rely on stealthy network-level tradecraft—using compromised infrastructure rather than malware alone—to persist in victim environments and covertly redirect or monitor traffic.
May 25, 2026
Authorities Disrupt APT28 Router DNS Hijacking Used to Steal Microsoft 365 Credentials
Authorities and private-sector partners disrupted an **APT28** campaign known as **FrostArmada** that hijacked DNS traffic on compromised SOHO routers to steal Microsoft 365 credentials and OAuth tokens. Investigators said the operation abused **MikroTik**, **TP-Link**, some **Nethesis**, and older **Fortinet** devices, redirecting authentication traffic through attacker-controlled VPS infrastructure to perform adversary-in-the-middle interception. Microsoft and Lumen Black Lotus Labs traced the activity, identified victims, and supported action by the **FBI**, the **U.S. Department of Justice**, and Polish authorities to take malicious infrastructure offline. At its peak in December 2025, the campaign had infected about **18,000 devices in 120 countries** and affected government agencies, law enforcement, IT and hosting providers, and organizations running their own servers. The disruption comes amid broader warnings that Russia-linked **Fancy Bear**—also tracked as **APT28**, **Forest Blizzard**, and **Pawn Storm**—continues global cyber-espionage and disruptive operations. Recent reporting tied the group not only to router-based DNS hijacking, including abuse of TP-Link devices and exploitation of **`CVE-2023-50224`**, but also to **NTLMv2** hash relay attacks leveraging Outlook flaw **`CVE-2023-23397`** and malware activity targeting Ukraine’s defense supply chain and allied countries. Security guidance from Microsoft, the UK NCSC, researchers, and government agencies urged organizations to harden routers, patch internet-facing systems, enable MFA, reduce external exposure, remove end-of-life equipment, and adopt certificate pinning and zero-trust controls to limit credential theft and follow-on compromise.
Apr 10, 2026
APT28 Hijacked SOHO Routers to Redirect Traffic and Support Espionage
British and U.S. officials said hackers linked to Russia’s GRU, including **APT28**/**Fancy Bear** and assessed as tied to **Unit 26165**, have run a broad campaign compromising home, small-office, ISP, and business edge devices to spy on targets and steal data. Authorities said the operators abused weak or default **SNMP** community strings, outdated `SNMPv2` deployments, and known vulnerabilities in routers and firewalls, including some **TP-Link** devices, to gain access and persist on internet-facing infrastructure worldwide. Once inside, the attackers altered router configurations to reroute traffic through infrastructure they controlled, enabling surveillance, credential interception, network mapping, and adversary-in-the-middle activity such as **DNS** manipulation and redirection to fraudulent sites. Recent reporting said investigators disrupted a Russia-backed espionage network spanning roughly **18,000 devices**, while UK guidance urged organizations to lock down management interfaces, disable or restrict SNMP, upgrade protocols, and apply security updates to exposed edge equipment.
May 25, 2026