Campaign
APT28 router DNS hijacking for credential theft
Updated 08.04.2026 13:03
Case score 56
Score breakdown
- Total
- 56
- Lead score
- 56
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign Lead campaign score from the router DNS hijacking and credential theft activity. base
Case score 56
Members 1
Latest activity 08.04.2026 13:03
Members 1
First seen 07.04.2026 18:30
Last seen 07.04.2026 18:30
Updated 08.04.2026 13:03
Overview
APT28 is using compromised **SOHO routers** and attacker-controlled DNS servers to reroute traffic, place browser and application sessions through adversary infrastructure, and steal credentials from targeted organizations. The operation changes router DNS settings, including on TP-Link devices such as the WR841N, and one model is associated with **CVE-2023-50224**. Available evidence says the infrastructure has been modified since 2024 and related compromise patterns have been visible since at least August 2025.
The **NCSC** warned on April 7, 2026, and the US **FBI** and **DoJ** later said they neutralized the US portion of the network across more than 23 states while working with ISPs to reset router DNS settings and remove attacker-installed resolvers. Available evidence does not quantify the full victim set.
APT28 is abusing compromised SOHO routers and actor-controlled DNS infrastructure to redirect traffic through malicious servers and steal credentials from targeted organizations. The operation changes router DNS settings, including on TP-Link devices such as the WR841N, and one router model is associated with **CVE-2023-50224**. Available evidence says the infrastructure has been modified since 2024 and related compromise patterns were seen since at least August 2025.
After redirection, the actor uses adversary-in-the-middle interception against browser sessions and desktop applications to collect passwords and OAuth tokens. The UK **NCSC** warned on April 7, 2026, and the US **FBI** and **DoJ** later said they neutralized the US portion of the network across more than 23 states while working with ISPs to reset router DNS settings and remove the attacker-installed resolvers. Available evidence does not quantify the full victim set, but the activity remains a credential-theft risk wherever vulnerable routers still inherit malicious DNS settings.