The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that compromised vulnerable MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under its control as part of a cyberespionage campaign from at least May 2025.
The massive exploitation campaign has been codenamed frostarmada By Lumen’s Black Lotus Labs, Microsoft has described it as an attempt to exploit vulnerable home and small office (SOHO) Internet devices to hijack DNS traffic and enable passive collection of network data.
“Their technique modified DNS settings on compromised routers to hijack local network traffic to capture and exfiltrate authentication credentials,” Black Lotus Labs said in a report shared with The Hacker News.
“When the targeted domain was requested by a user, the actor redirected the traffic to an attacker-in-the-middle (AITM) node, where those credentials were harvested and exfiltrated. This approach enabled a nearly invisible attack that required no interaction from the end user.”
Infrastructure associated with the campaign has been disrupted and taken offline as part of a joint operation in collaboration with the US Department of Justice, the Federal Bureau of Investigation, and other international partners.
Activity is estimated to have begun in a limited capacity by May 2025, followed by widespread router exploitation and DNS redirection in early August. At its peak in December 2025, more than 18,000 unique IP addresses from at least 120 countries were found communicating with the APT28 infrastructure.
These efforts primarily involved government agencies such as ministries of foreign affairs, law enforcement, and third-party email and cloud service providers in North African, Central American, Southeast Asian, and European countries.
The Microsoft Threat Intelligence team, in its analysis of the campaign, tracked APT28 and its sub-cluster known as Storm-2754 for activity. The tech giant said it has identified more than 200 organizations and 5,000 consumer devices affected by the threat actor’s malicious DNS infrastructure.
“For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and large-scale reconnaissance,” Redmond said. “By compromising edge devices that are upstream of larger targets, threat actors can leverage less closely monitored or managed assets to pivot into enterprise environments.”
DNS hijacking activity has also facilitated AITM attacks that enable the theft of passwords, OAuth tokens, and other credentials for web and email-related services, putting organizations at risk of widespread compromise.
Microsoft said this development is the first time the Adversarial Collective has been observed using DNS hijacking on a large scale to support AITM of Transport Layer Security (TLS) connections after exploiting edge devices.
At a high level, the attack chain involves APT28 gaining remote administrative access to SOHO devices and changing the default network configuration to use the DNS resolver under its control. Malicious reconfiguration causes devices to redirect their DNS requests to actor-controlled servers.
This, in turn, causes DNS lookups for email applications or login pages to be resolved by malicious DNS servers. The threat actor then connects victims to malicious infrastructure and attempts to conduct AITM attacks against those connections to steal user account credentials.
Some of these domains are associated with Microsoft Outlook on the web. Microsoft said it also identified AITM activity targeting non-Microsoft-hosted servers in at least three government organizations in Africa.
The UK National Cyber Security Center (NCSC) said, “It is believed that DNS hijacking operations are opportunistic in nature, with actors gaining visibility of a large group of candidate target users and then filtering users at each stage in the exploit chain for victims of potential intelligence value.”
APT28 is said to have used a TP-Link WR841N router for its DNS poisoning operation, possibly by leveraging CVE-2023-50224 (CVSS score: 6.5), which is an authentication bypass vulnerability that can be used to extract stored credentials via specially crafted HTTP GET requests.
A second group of servers was found to be receiving DNS requests through the compromised routers and subsequently forwarding them to remote actor-owned servers. It has also been assessed that this cluster engaged in interactive operations targeting a small number of MikroTik routers located in Ukraine.
“Forest Blizzard’s DNS hijacking and AITM activity allows the actor to conduct DNS collection on sensitive organizations around the world and is consistent with the actor’s long-standing authority to collect espionage against priority intelligence targets,” Microsoft said.
“Although we have seen Forest Blizzard use its DNS hijacking campaign solely for information collection, an attacker could use the AiTM state for additional consequences, such as malware deployment or denial of service.”
