Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
APT28 Targets SOHO Routers in Global DNS Hijacking

APT28 Targets SOHO Routers in Global DNS Hijacking

Posted on April 7, 2026 By CWS

The cyber espionage group APT28, also known as Forest Blizzard, has been linked to a sophisticated campaign targeting vulnerable small office and home office (SOHO) routers. This operation, active since at least May 2025, involves hijacking DNS traffic to facilitate passive data collection. The campaign, dubbed FrostArmada by Lumen’s Black Lotus Labs, highlights the exploitation of MikroTik and TP-Link routers, turning them into part of a malicious network infrastructure.

Global Exploitation Campaign

Microsoft and Lumen’s Black Lotus Labs have identified this large-scale effort as an attempt to manipulate DNS settings on compromised devices. By redirecting DNS traffic, APT28 was able to intercept and extract authentication credentials without end-user interaction. This form of attack, known as attacker-in-the-middle (AitM), poses a significant threat to network security.

Collaborative efforts by the U.S. Department of Justice, FBI, and international partners have successfully disrupted the infrastructure associated with this campaign. However, the operation, which began in a limited capacity in May 2025, gained momentum by August and peaked in December with over 18,000 IP addresses from 120 countries connecting to APT28-controlled servers.

Targeted Organizations and Methods

The campaign primarily focused on government entities, including ministries of foreign affairs and law enforcement, as well as third-party email and cloud service providers across multiple regions such as North Africa, Central America, Southeast Asia, and Europe. Microsoft reported that over 200 organizations and 5,000 consumer devices were compromised by this malicious DNS setup.

APT28 exploited vulnerabilities in TP-Link WR841N routers, likely leveraging the CVE-2023-50224 vulnerability, which allows authentication bypass. This exploitation enabled the actor to gain control and manipulate DNS requests, directing them to attacker-controlled servers.

Implications and Future Threats

The DNS hijacking campaign not only facilitated AitM attacks for credential theft but also demonstrated the potential for broader network compromises. Forest Blizzard’s tactics allow for extensive espionage on sensitive targets, consistent with their historical objectives of gathering intelligence on high-priority subjects.

While the primary focus has been information collection, the AitM position could potentially be leveraged for further malicious activities, such as malware deployment or denial-of-service attacks. The U.K. National Cyber Security Centre highlighted the opportunistic nature of these operations, suggesting a broad targeting approach that narrows down to valuable intelligence targets.

Microsoft noted that the campaign included activity against non-Microsoft hosted servers in several African government organizations, underscoring the global reach and impact of this operation.

Understanding and mitigating these threats remain critical as nation-state actors continue to exploit network vulnerabilities, emphasizing the need for robust cybersecurity measures to safeguard sensitive information and infrastructure.

The Hacker News Tags:APT28, Black Lotus Labs, cyber espionage, cyber threats, Cybersecurity, DNS hijacking, FBI, Forest Blizzard, Microsoft, MikroTik routers, network security, OAuth tokens, SOHO routers, TLS connections, TP-Link routers

Post navigation

Previous Post: Russian Hackers Target Routers in Major DNS Hijacking Scheme
Next Post: Trent AI Launches with $13M Seed Funding Boost

Related Posts

Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims The Hacker News
Starkiller Phishing Suite Evades MFA with Reverse Proxy Starkiller Phishing Suite Evades MFA with Reverse Proxy The Hacker News
Google Enhances Android Privacy and Blocks 8.3B Ads Google Enhances Android Privacy and Blocks 8.3B Ads The Hacker News
Deepfake Defense in the Age of AI Deepfake Defense in the Age of AI The Hacker News
Key Findings from the Blue Report 2025 Key Findings from the Blue Report 2025 The Hacker News
Your AI Agents Might Be Leaking Data — Watch this Webinar to Learn How to Stop It Your AI Agents Might Be Leaking Data — Watch this Webinar to Learn How to Stop It The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark