TP-Link router password-spraying campaign by Chinese state-sponsored groups
Campaign
Summary
Hide ▲
Show ▼
A multi-actor password-spraying campaign has used compromised TP-Link SOHO routers as infrastructure to target Microsoft accounts, extending the risk of account abuse across a reusable network. The activity has been linked to multiple distinct Chinese state-sponsored hacking groups and has been observed since 2021.
Related Happenings
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
U.S. Department of Commerce and supporting federal agencies proposed ban on future sales of TP-Link devices in the United States for reported on 2025-11-09
Public Sector Action
First: 09.11.2025 20:14
Last: 09.11.2025 20:14
Sources 1
How related:
The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States.
About this happening:
The **U.S. government** is backing a **proposed ban** on future sales of **TP-Link** wireless routers and networking gear in the **United States**, a move that could affect device...
U.S. Department of Commerce and supporting federal agencies proposed ban on future sales of TP-Link devices in the United States for reported on 2025-11-09
Public Sector ActionHow related: The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States.
About this happening: The **U.S. government** is backing a **proposed ban** on future sales of **TP-Link** wireless routers and networking gear in the **United States**, a move that could affect device...
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Campaign
First: 24.09.2025 17:33
Last: 24.09.2025 17:33
Sources 1
About this happening:
**UNC5221** is running a **BRICKSTORM** espionage campaign that has maintained access in victim networks for an average of **393 days** and has been active since **March 2025**. G...
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
CampaignAbout this happening: **UNC5221** is running a **BRICKSTORM** espionage campaign that has maintained access in victim networks for an average of **393 days** and has been active since **March 2025**. G...
RedNovember (Storm-2077) public-PoC espionage campaign
Campaign
First: 24.09.2025 04:00
Last: 24.09.2025 04:00
Sources 1
About this happening:
**RedNovember** is a suspected **Chinese state-sponsored** campaign also tracked as **Storm-2077** that targeted **perimeter appliances** of high-profile organizations globally be...
RedNovember (Storm-2077) public-PoC espionage campaign
CampaignAbout this happening: **RedNovember** is a suspected **Chinese state-sponsored** campaign also tracked as **Storm-2077** that targeted **perimeter appliances** of high-profile organizations globally be...
Timeline
-
09.11.2025 20:14 2 articles · 6mo ago
Initial report: TP-Link router password-spraying campaign by Chinese state-sponsored groups
Initial DisclosureThe earliest observed phase used **compromised TP-Link SOHO routers** as the infrastructure base for **password-spraying** attempts. By **2021**, that network was already being abused by **multiple Chinese state-sponsored hacking groups**.
Show sources
- Drilling Down on Uncle Sam’s Proposed TP-Link Ban — krebsonsecurity.com — 09.11.2025 20:14
- Drilling Down on Uncle Sam’s Proposed TP-Link Ban — krebsonsecurity.com — 09.11.2025 20:14