CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

APT28 DNS hijacking campaigns via compromised SOHO routers observed in 2025–2026 targeting credential theft

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

APT28 (Fancy Bear/Forest Blizzard), attributed to Russia’s GRU unit GTsSS Military Unit 26165, has conducted opportunistic DNS hijacking campaigns since at least August 2025 by compromising small office/home office (SOHO) routers—primarily TP-Link models such as WR841N—to redirect victim traffic through attacker-controlled DNS servers and steal credentials. The campaign peaked in December 2025, compromising over 18,000 networks, including 200 organizations and 5,000 consumer devices, and specifically targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were then used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support post-compromise adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains, intercepting OAuth authentication tokens after successful MFA authentication without requiring additional malware on compromised routers.

Timeline

  1. 07.04.2026 18:30 2 articles · 4h ago

    APT28 DNS hijacking campaigns via compromised SOHO routers observed since August 2025 with credential theft focus

    APT28 (GRU GTsSS Military Unit 26165) compromised small office/home office routers—primarily TP-Link WR841N—since at least August 2025 by modifying DHCP DNS settings to redirect traffic through attacker-controlled DNS servers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were then used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. New details from this article: The campaign peaked in December 2025, compromising over 18,000 networks including 200 organizations and 5,000 consumer devices, primarily using older MikroTik and TP-Link SOHO routers. The group targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. APT28 exploited unsupported or outdated routers without installing malware, instead using known vulnerabilities to modify DNS settings and intercept OAuth authentication tokens from Microsoft Office users after successful MFA authentication. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS

A rapidly escalating device code phishing campaign continues to target Microsoft 365 accounts across at least 340 organizations in multiple countries since mid-February 2026, with attacks surging 37.5 times in early 2026 compared to baseline levels at the start of March. The campaign abuses legitimate OAuth device authorization flows to harvest credentials and establish persistent access tokens, primarily via the EvilTokens PhaaS platform and at least 10 other competing phishing kits (e.g., VENOM, DOCUPOLL, SHAREFILE). These attacks now incorporate advanced features such as anti-bot evasion techniques, multi-hop redirect chains leveraging legitimate vendor services, and SaaS-themed lures impersonating business content (e.g., DocuSign, SharePoint, Adobe Acrobat). The EvilTokens platform, sold over Telegram, has democratized device code phishing, enabling low-skilled cybercriminals to execute attacks that grant persistent access to victim accounts, including email, files, Teams data, and SSO impersonation capabilities. The campaign’s global reach extends to at least 10 countries, with sectors including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government being targeted. Mitigation efforts focus on disabling the device code flow via conditional access policies and monitoring for anomalous authentication events.

Open in new tab

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking and Malware Delivery

Cybersecurity researchers have uncovered a China-linked adversary-in-the-middle (AitM) framework called DKnife, active since at least 2019. The framework targets routers and edge devices to perform deep packet inspection, manipulate traffic, and deliver malware. It primarily targets Chinese-speaking users by harvesting credentials and delivering malware via popular Chinese services and applications. DKnife comprises seven Linux-based implants that enable a wide range of malicious activities, including DNS hijacking, binary download hijacking, and real-time user activity monitoring. The framework is linked to the Earth Minotaur threat activity cluster and shares infrastructural connections with WizardNet, a Windows implant deployed by TheWizards APT group. DKnife's infrastructure overlaps with a campaign delivering WizardNet, suggesting a shared development or operational lineage. The framework uses a component called yitiji.bin to create a bridged TAP interface on the router at the private IP address 10.3.3.3, allowing the threat actor to intercept and rewrite network packets in transit to the intended host. Additionally, DKnife monitors WeChat activities more analytically, tracking voice and video calls, text messages, images sent and received, and articles read on the platform.

Open in new tab

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose. Recent developments indicate that attackers are growing more interested in and accustomed to dealing with industrial machines, potentially leading to more sophisticated OT attacks. Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026, which require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions.

Open in new tab

Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

A coordinated, state-sponsored phishing campaign continues to target high-value individuals via Signal and WhatsApp, now with confirmed involvement from Russian Intelligence Services-affiliated groups and additional threat actors linked to the FSB, China’s APT31, and Iran’s IRGC. The FBI has directly attributed the campaign to Russian Intelligence Services-affiliated actors, confirming the compromise of thousands of accounts globally and emphasizing that the attacks primarily target high-value individuals such as current and former U.S. government officials, military personnel, political figures, and journalists. The campaign bypasses end-to-end encryption by hijacking accounts through sophisticated social engineering, including impersonating support services and tricking users into sharing verification codes or scanning malicious QR codes to link attacker-controlled devices to accounts. Recent advisories from the NCSC and Dutch intelligence agencies highlight an increase in activity targeting high-risk individuals across government, academia, journalism, and the legal profession. Attackers gain access to private messages, contact lists, and group chats, enabling them to impersonate victims and launch further phishing campaigns. Both Signal and WhatsApp users are advised to regularly review linked devices, avoid sharing verification codes, and enable multi-factor authentication to mitigate risks. Russia-aligned threat clusters such as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185) have been associated with similar tactics, and the FBI’s attribution underscores the state-sponsored nature of these operations targeting sensitive communications. French authorities and the UK’s NCSC have also warned of a surge in similar campaigns targeting government officials, journalists, and business leaders.

Open in new tab