The cyber espionage group APT28, also known as Forest Blizzard, has been linked to a sophisticated campaign targeting vulnerable small office and home office (SOHO) routers. This operation, active since at least May 2025, involves hijacking DNS traffic to facilitate passive data collection. The campaign, dubbed FrostArmada by Lumen’s Black Lotus Labs, highlights the exploitation of MikroTik and TP-Link routers, turning them into part of a malicious network infrastructure.
Global Exploitation Campaign
Microsoft and Lumen’s Black Lotus Labs have identified this large-scale effort as an attempt to manipulate DNS settings on compromised devices. By redirecting DNS traffic, APT28 was able to intercept and extract authentication credentials without end-user interaction. This form of attack, known as attacker-in-the-middle (AitM), poses a significant threat to network security.
Collaborative efforts by the U.S. Department of Justice, FBI, and international partners have successfully disrupted the infrastructure associated with this campaign. However, the operation, which began in a limited capacity in May 2025, gained momentum by August and peaked in December with over 18,000 IP addresses from 120 countries connecting to APT28-controlled servers.
Targeted Organizations and Methods
The campaign primarily focused on government entities, including ministries of foreign affairs and law enforcement, as well as third-party email and cloud service providers across multiple regions such as North Africa, Central America, Southeast Asia, and Europe. Microsoft reported that over 200 organizations and 5,000 consumer devices were compromised by this malicious DNS setup.
APT28 exploited vulnerabilities in TP-Link WR841N routers, likely leveraging the CVE-2023-50224 vulnerability, which allows authentication bypass. This exploitation enabled the actor to gain control and manipulate DNS requests, directing them to attacker-controlled servers.
Implications and Future Threats
The DNS hijacking campaign not only facilitated AitM attacks for credential theft but also demonstrated the potential for broader network compromises. Forest Blizzard’s tactics allow for extensive espionage on sensitive targets, consistent with their historical objectives of gathering intelligence on high-priority subjects.
While the primary focus has been information collection, the AitM position could potentially be leveraged for further malicious activities, such as malware deployment or denial-of-service attacks. The U.K. National Cyber Security Centre highlighted the opportunistic nature of these operations, suggesting a broad targeting approach that narrows down to valuable intelligence targets.
Microsoft noted that the campaign included activity against non-Microsoft hosted servers in several African government organizations, underscoring the global reach and impact of this operation.
Understanding and mitigating these threats remain critical as nation-state actors continue to exploit network vulnerabilities, emphasizing the need for robust cybersecurity measures to safeguard sensitive information and infrastructure.
