In recent months, a large-scale cyber-espionage operation has come to light that has taken advantage of domestic routers and small poorly protected offices to "recognize from within" networks of political and administrative interest. The campaign, which researchers have traced since at least May 2025 and escalated in August, has turned branding devices such as MikroTik and TP-Link into access doors that redirected DNS traffic to servers controlled by the attackers.
The responsible actor has been linked to APT28, also known in some reports as Forest Blizzard and in subgroups such as Storm-2754, a collective with a history of operations aimed at government and intelligence objectives. Technical reports and press notes from security intelligence teams explain that the attackers obtained remote administrative access to vulnerable SOHO devices and changed their network configurations to force the use of DNS resolution under their control. By amending those resolutions, they could redirect legitimate requests - including web-mail pages - to nodes acting as malicious intermediaries and capture credentials, tokens and other sensitive information without apparent user interaction.
Public analysis and infrastructure monitoring revealed a significant scope: at its peak, by December 2025, more than 18,000 unique IP addresses in at least 120 countries communicated with campaign-associated servers, which some research teams called FrostMarina. The targets included ministries of foreign affairs, security forces and third-party mail and cloud services in regions as diverse as North Africa, Central America, South-East Asia and Europe. Microsoft and other intelligence teams have identified hundreds of affected organizations and thousands of consumer devices committed by the malicious infrastructure.
The technical mechanism by which advantage was obtained is simple in its concept and dangerous in its effectiveness: with DNS resolution control on the edge of the network, the attacker can decide which IP address responds to a name query, and direct the victim to its own infrastructure to try "actor-in-the-middle" (AiTM) attacks. This position not only facilitates the theft of passwords and OAuth tokens, but also allows you to observe communication patterns, select value victims and, in case you want to climb, deploy malware or interrupt services.
In several cases, researchers found that TP-Link routers model WR841N had been exploited by a vulnerability of authentication omission identified as CVE-2023-50224, which allows to extract credentials stored by specially manipulated HTTP requests. The activity related to MikroTik routers was also reported in specific locations, suggesting that the operation combined automated sweep techniques with more targeted interactive actions against objectives of greater interest.
The nature of the campaign has been described by authorities and response centres as partly opportunistic: attackers get visibility from a wide base of committed devices and gradually filter to isolate users and organizations with intelligence value. This operation is lent to a scale operation, because many domestic and small office routers operate with default settings, weak passwords or outdated firmware, and they often escape the scrutiny of corporate security teams.
In the face of this, the international response did not take long: The infrastructure launched by the actor was deactivated as part of a joint operation with US authorities and international partners. These interventions seek to cut off the exfiltration channels and demonstrate the activity, but the background lesson remains: corporate networks and critical accounts can be compromised through peripheral and unmanaged appearance devices.
To better understand who they are behind and what techniques they use, reference should be made to technical analysis and open reference resources. MITRE collects the career and tactics of APT28 on its ATT & CK base ( group G0007), while the description of the failure to facilitate the removal of credentials is available in the public vulnerability bases ( CVE-2023-50224). Industry research teams such as Lumen Black Lotus Labs and corporate security blogs have been publishing reports and analysis on router campaigns and DNS kidnapping; for context on threats and responses, official pages of organizations such as the United Kingdom NCSC the initiative Shields Up CISA and Microsoft's security blog are useful resources to follow recommendations and public alerts.
The operational and political implications are relevant. A state or quasi-state actor who gets passive visibility about mail traffic, access to administrative panels or communications from ministries gets a low-cost and difficult source of intelligence. This type of access could be used exclusively for collection, as has been observed so far, but the same position of AiTM could allow, if desired, to introduce malicious charges, interfere with services or pivote towards more protected internal networks.
If you work in an organization that depends on the security of corporate accounts or cloud services, or if you manage domestic networks with equipment that offer remote access, there are practical measures that help to reduce risk: keep the router firmware up to date, change default credentials and disable remote administration when not strictly necessary; use reliable DNS resolution and validate unexpected changes in router configuration; apply multifactor authentication in critical services and monitor any unusual behavior in early session. The authorities and suppliers publish specific guides that should be followed and applied with priority in exposed infrastructure.
This case again highlights an increasingly clear reality: security does not start or end in the company's traditional perimeters. "Small" devices in the hands of users or satellite offices can become espionage amplifiers if they are not managed by basic security practices. Being attentive to safety warnings, patching and reducing the attack surface are actions that, together, greatly increase the cost for an attacker and can prevent such an operation from thriving.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...