APT28 router DNS hijacking for credential theft

APT28 is abusing compromised SOHO routers and actor-controlled DNS infrastructure to redirect traffic through malicious servers and steal credentials from targeted organizations. The operation changes router DNS settings, including on TP-Link devices such as the WR841N, and one router model is associated with **CVE-2023-50224**. Available evidence says the infrastructure has been modified since 2024 and related compromise patterns were seen since at least August 2025. After redirection, the actor uses adversary-in-the-middle interception against browser sessions and desktop applications to collect passwords and OAuth tokens. The UK **NCSC** warned on April 7, 2026, and the US **FBI** and **DoJ** later said they neutralized the US portion of the network across more than 23 states while working with ISPs to reset router DNS settings and remove the attacker-installed resolvers. Available evidence does not quantify the full victim set, but the activity remains a credential-theft risk wherever vulnerable routers still inherit malicious DNS settings.