Russian state-sponsored threat actors, known as APT28 or Forest Blizzard, have been linked to a large-scale cyber espionage campaign that involves compromising insecure routers and repurposing them as malicious infrastructure.
The campaign, which has been ongoing since at least May 2025, targets MikroTik and TP-Link routers, exploiting vulnerabilities to gain control and modify their settings.
By hijacking the Domain Name System (DNS) settings of these routers, APT28 hackers can redirect users to fake websites, steal sensitive information, and conduct further malicious activities.
The exploitation of SOHO routers is a significant concern, as it allows attackers to gain a foothold in targeted networks and potentially move laterally to compromise more sensitive systems.
Users are advised to ensure their routers are running the latest firmware and to change default passwords to prevent similar compromises.
Source: Original Article
