A state-sponsored threat group operating out of Russia has been passively intercepting internet traffic from global targets for over a year. The group achieves this by leveraging known vulnerabilities in internet-exposed small office/home office (SOHO) routers. Affected entities include foreign affairs ministries and national law enforcement bodies in North Africa, Central America, and Southeast Asia, as well as a national identity platform, European service providers, and organizations across 23 US states.
Advanced persistent threats often rely on complex evasion techniques or undisclosed vulnerabilities. However, the group tracked as APT28 (also known as Forest Blizzard, Fancy Bear, or Storm-2754) has demonstrated that simpler methods remain highly effective for broad data collection.
Since at least May 2024, the group has intercepted traffic at high-value organizations by accessing edge devices—primarily MikroTik and TP-Link routers, alongside select Nethesis and Fortinet products. Rather than deploying traditional malware, the threat actors reconfigure the routers to direct Domain Name System (DNS) traffic through unauthorized virtual private servers (VPS). According to researchers at Microsoft and Lumen’s Black Lotus Labs, this methodology allows the group to passively monitor web traffic and harvest credentials for email and web services.
At its peak in December 2025, Black Lotus Labs observed 18,000 unique IP addresses across 120 countries communicating with the unauthorized infrastructure. Microsoft identified more than 200 impacted organizations and over 5,000 consumer devices.
APT28’s primary objective in this campaign is email compromise, continuing a historical pattern of targeting organizational and individual communications. The group scans for known flaws, such as CVE-2023-50224, a medium-severity information disclosure issue in TP-Link devices that allows unauthenticated remote administration. Once accessed, the group modifies the router's DNS settings. When a user navigates to a targeted service—such as Microsoft Outlook on the Web—the modified DNS proxies the request. This Adversary-in-the-Middle (AiTM) technique captures user credentials during the authentication process.
"One of the things that piqued my interest: there is no malware," notes Danny Adamitis, principal information security engineer at Black Lotus Labs. "If you were to have your router getting logged into, even if you were to hypothetically scan it all with an endpoint detection and response (EDR) tool or upload everything to VirusTotal, there is nothing there. The only thing they're doing is modifying just one entry of your DNS settings, to route traffic to a server that they control and administrate."
Security researchers note varying start dates for the activity. Microsoft telemetry indicates August 2025, while Black Lotus Labs identified a compromised router associated with the government of Afghanistan in May 2024. The US Department of Justice (DOJ) states the activity dates to at least 2024. Regardless of the exact start, the group demonstrated high adaptability. On August 6, 2025, the UK’s National Cyber Security Centre (NCSC) published "Authentic Antics," a report detailing an APT28 tool used to capture Microsoft Office credentials. The following day, the group shifted its tactics entirely toward the SOHO router campaign.
On April 7, 2026, the DOJ announced "Operation Masquerade," a court-ordered disruption effort aimed at securing the US-based portion of the compromised infrastructure. The operation involved sending commands to affected TP-Link routers to collect forensic data and reset DNS configurations, effectively pointing the devices back to legitimate Internet Service Provider (ISP) resolvers.
Ryan English, information security engineer at Lumen Technologies, observes that while organizations should transition away from SOHO routers, their prevalence is understandable. "It's a question of economics, convenience, and access," English explains. "Some governments might make the choice to use this because it works perfectly well. But you can't inspect the logs on a lot of these SOHO routers. Some of them are not easy to manually update whenever there's patching needed. So they're vulnerable as sort of a condition of their existence."
Adamitis points to a broader systemic issue with DNS trust. He compares DNS to mapping software: users implicitly trust the route provided without verifying the underlying data. "Users trust that DNS can tell you where your server is," he notes. APT28 alters that routing on the back end. While router ecosystems offer patching and maintenance mechanisms, Adamitis describes DNS as a decentralized system lacking clear accountability. "It truly is, in my mind, the Wild West."
To protect networks against DNS redirection and edge device compromise, organizations and remote personnel should prioritize hardware lifecycle management. Security teams recommend replacing end-of-life routers, applying the latest firmware updates, and verifying the authenticity of DNS resolvers in device settings. Additionally, implementing strict firewall rules to restrict remote management services and utilizing Zero Trust DNS controls can significantly reduce the risk of unauthorized traffic interception.