""Their technique modified DNS settings on compromised routers to hijack local network traffic to capture and exfiltrate authentication credentials," Black Lotus Labs said in a report shared with The Hacker News."
""When targeted domains were requested by a user, the actor redirected traffic to an attacker-in-the-middle (AitM) node, where those credentials were harvested and exfiltrated. This approach enabled a nearly invisible attack that required no interaction from the end user.""
""The infrastructure associated with the campaign has been disrupted and taken offline as part of a joint operation in collaboration with the U.S. Department of Justice, Federal Bureau of Investigation, and other international partners.""
APT28, a Russia-linked threat actor, has initiated a campaign exploiting insecure MikroTik and TP-Link routers to hijack DNS traffic for cyber espionage. Codenamed FrostArmada, this large-scale operation has been active since May 2025, targeting government agencies and service providers across various regions. The attack modifies DNS settings on compromised routers, allowing the actor to capture authentication credentials without user interaction. A joint operation has disrupted the campaign, which peaked in December 2025 with over 18,000 unique IP addresses involved.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]