A sophisticated cyber espionage campaign linked to Russia’s notorious threat group APT28, also tracked as Forest Blizzard, has been uncovered targeting vulnerable home and small office routers worldwide. The operation focuses on manipulating DNS configurations to intercept sensitive data without user awareness.
The campaign, named FrostArmada by Black Lotus Labs, has been active since at least May 2025. It primarily involves compromising routers from vendors like MikroTik and TP-Link, converting them into attacker-controlled infrastructure for intelligence gathering.
Large-Scale Router Exploitation and DNS Manipulation
The attackers gained unauthorized access to poorly secured routers and altered their DNS settings. This allowed them to redirect network traffic through malicious servers, effectively creating a hidden surveillance layer within targeted networks.
According to findings, when users attempted to access legitimate services, their traffic was silently redirected to attacker-controlled nodes operating as intermediaries. This method enabled the collection of login credentials and sensitive data without requiring any direct interaction from victims.
Global Reach and Targeted Sectors
The campaign rapidly expanded over time. By December 2025, more than 18,000 IP addresses across over 120 countries were found communicating with the malicious infrastructure.
Targets included government institutions, foreign ministries, law enforcement bodies, and providers of cloud and email services. Regions impacted span North Africa, Central America, Southeast Asia, and Europe.
Analysis from Microsoft Threat Intelligence identified over 200 organizations and approximately 5,000 consumer devices affected by this operation.
International Disruption Effort
The malicious network was partially dismantled through a coordinated international response involving the U.S. Department of Justice and the Federal Bureau of Investigation. This law enforcement action, referred to as Operation Masquerade, successfully neutralized parts of the infrastructure operating within the United States.
Authorities stated that the campaign enabled Russian intelligence to monitor individuals of strategic interest, particularly those connected to military, government, and critical infrastructure sectors.
Advanced DNS Hijacking and AiTM Techniques
This operation marks one of the first known large-scale uses of DNS hijacking to support actor-in-the-middle attacks against encrypted web traffic.
Once routers were compromised, attackers reconfigured them to use DNS servers under their control. As a result:
- DNS requests were routed to malicious servers
- Legitimate domain lookups were manipulated
- Victims were redirected to fake login pages
- Credentials such as passwords and OAuth tokens were captured
In some cases, domains mimicking services like Microsoft Outlook Web Access were used to deceive users and harvest authentication data.
Exploitation of Router Vulnerabilities
The campaign also involved exploiting known weaknesses in router firmware. For example, TP-Link WR841N devices were targeted using CVE-2023-50224, a flaw that allows authentication bypass and unauthorized data extraction.
Investigations revealed that actors linked to Russia’s GRU military intelligence unit leveraged these vulnerabilities to gain persistent access and control DNS traffic on compromised devices.
Stealth and Target Filtering Strategy
Rather than immediately targeting specific individuals, the attackers initially collected large volumes of DNS data from infected routers. They then applied filtering techniques to identify high-value targets based on intelligence priorities.
This approach allowed them to operate at scale while focusing their efforts on selected victims of strategic importance.
Additional Infrastructure and Regional Activity
A secondary infrastructure cluster was also discovered, responsible for forwarding DNS queries from compromised routers to attacker-controlled servers. Some targeted operations were observed involving MikroTik routers located in Ukraine, indicating region-specific intelligence activities.
Implications and Future Risks
Security experts warn that compromising edge devices such as routers provides attackers with a powerful vantage point. These devices are often less monitored, making them ideal entry points into larger enterprise networks.
While the current campaign primarily focused on data collection, the same access could potentially be used for more destructive purposes, including malware deployment or service disruption.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
