The group known as APT28, also called Forest Blizzard, has been identified in a recent campaign involving compromised MikroTik and TP-Link routers. These routers were manipulated to serve as malicious infrastructure as part of a cyber espionage effort that began in May 2025.
Referred to as FrostArmada by Lumen’s Black Lotus Labs, the large-scale exploitation campaign was aimed at exploiting vulnerable home and small office internet devices to hijack DNS traffic for passive network data collection, according to Microsoft.
The attackers altered DNS settings on compromised routers to redirect network traffic, capturing authentication credentials in the process. This method allowed for stealthy attacks without user interaction.
The campaign’s infrastructure has been dismantled in a joint operation involving the U.S. Department of Justice, FBI, and other international partners.
The activity began in limited capacity in May 2025, with widespread router exploitation and DNS redirection starting in August. By December 2025, over 18,000 unique IP addresses from 120 countries were detected communicating with APT28 infrastructure.
The targets were primarily government agencies, foreign affairs ministries, law enforcement, and email/cloud service providers across various regions.
Microsoft’s Threat Intelligence team linked the campaign to APT28 and its sub-group Storm-2754, identifying more than 200 organizations and 5,000 consumer devices affected by the malicious DNS infrastructure.
The DNS hijacking enabled passive reconnaissance on a large scale, allowing threat actors to pivot into enterprise environments through compromised edge devices.
The attack chain involved gaining remote administrative access to SOHO devices, changing network configurations to use controlled DNS resolvers, and conducting AitM attacks to steal user credentials.
APT28 leveraged DNS hijacking to facilitate AiTM attacks on TLS connections, targeting passwords, OAuth tokens, and other credentials for web services, including Microsoft Outlook.
The U.K. National Cyber Security Centre described the DNS hijacking operations as opportunistic, filtering target users at each stage for potential intelligence value.
APT28 exploited TP-Link WR841N routers using a known authentication bypass vulnerability for DNS poisoning operations. Another cluster of servers was involved in interactive operations targeting MikroTik routers in Ukraine.
Forest Blizzard’s activities align with their espionage objectives, collecting sensitive information globally. While the current campaign focuses on information collection, the potential for further malicious actions like malware deployment or denial of service attacks remains.
