FrostMarina: the campaign that turned domestic routers into proxies and stole credentials worldwide

A coordinated international operation between authorities and private companies has disarticulated a sophisticated campaign that used domestic and small office routers to redirect traffic and steal Microsoft credentials. Behind the operation was the group known as APT28 - often referred to as Fancy Bear or Sofacy - and that cybersecurity organizations have linked to Russian intelligence units; their technical profile can be consulted in the public repository of MITRE MITRE ATT & CK: APT28.

The modus operandi was relatively simple in their idea but effective in practice: the attackers engaged routers exposed to the Internet - mainly MikroTik and TP-Link models, in addition to some brand devices such as Nethesis and old Fortinet models - and changed the DNS configuration so that the queries were resolved on virtual servers controlled by them. By spreading this new configuration to internal teams through DHCP, all the name traffic could end up being solved by the malicious infrastructure, which acted as a resolver and as a proxy.

When a victim tried to log in to target authentication services, the DNS response could return the proxy IP instead of the legitimate service, thus directing the flow to an adversary-in-the-middle (AitM). In many cases the only visible sign for the user would have been an invalid TLS certificate notice, a message that many people often ignore by custom. If the alert was accepted or omitted, the attacker could send the requests back to the real service while collecting sensitive data, including valid login and OAuth tokens.

The research teams described the campaign as being operated on two fronts: one dedicated to seeking and compromising devices to expand the botnet, and the other focused on interception and collection of credentials. This strategy allowed the attackers to build a large area of potential victims and then filter among them those of real interest.

The scope of the threat was remarkable: at its peak, by the end of 2025, FrostMarina had reached tens of thousands of devices in more than 100 countries, affecting mainly government agencies, security forces, IT providers and accommodation, as well as organizations that maintain own servers or local mail services. Microsoft and the Black Lotus Labs researchers from Lumen detected activity that also affected on-premises servers and some state services, which confirmed that the campaign was not limited to cloud accounts alone. Microsoft analysis can be read in more detail in your technical report published by the company and the UK cybersecurity agency presented the problem from a mitigation perspective in its statement of the NCSC. The technical indicators associated with the operation have also been collected by researchers in a Public repository.

Cooperation between companies and law enforcement agencies was key to removing the offensive infrastructure from the network. Microsoft worked with Lumen to map the campaign routes and help identify victims; with support from the FBI, the U.S. Department of Justice. The United States and Polish authorities deactivated the servers that received and sent the malicious consultations. Such coordinated actions demonstrate that large-scale mediation operations require both technical intelligence and international legal support.

From a technical point of view, the campaign highlights two recurring weaknesses: on the one hand, the exposure of SOHO devices with outdated configurations or firmwalls and, on the other, the dependence of traditional DNS resolution mechanisms without additional controls. The attackers exploited this combination to deploy a large-scale attack that did not need complex zero-day vulnerabilities: administrative access to the routers was sufficient to impose a chain that affected all the teams behind them.

For organizations and managers, recommendations should be translated into concrete and practical action. First, it is essential to check the DNS configuration on the edge equipment and apply firmware updates to routers and firewalls; off-support devices must be replaced. For corporate teams, implementing mobile device management (MDM) policies that implement certification pinning can prevent an intermediate proxy from accepting unexpected certificates and immediately alert about traffic inspection attempts. Equally relevant is to minimize perimeter exposure: reduce publicly accessible services, segment networks and use access controls that limit impact if a network box is compromised.

From the identity layer, although the campaign collected valid tokens OAuth, there are measures that reduce the damage: to enable strict authentication protections as a requirement of hardware-based verification methods, to apply session and revocation policies of tokens in the face of suspicion of commitment, and to use conditional access rules that detect geographical or device anomalies. Active monitoring and revocation of suspicious credentials should be standard operating procedures after an alert.

Finally, this operation should serve as a reminder that Internet security does not start or end in data centres: office and household routers are critical infrastructure that deserve the same attention in maintenance and surveillance. Collaboration between the private sector and authorities showed that it is possible to mitigate comprehensive campaigns, but prevention - through updates, safe configuration and digital hygiene practices - remains the most effective defence against such threats.

If you want to deepen technical findings and have IoC to review your environment, see Microsoft analysis Here. the note by the United Kingdom NCSC Here. and the list of indicators published by Black Lotus Labs in this repository.