Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

APT28 FrostArmada DNS hijacking and AitM credential theft campaign

Campaign
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

A multinational disruption effort has taken down FrostArmada, an APT28 campaign that hijacked router DNS settings to steal Microsoft account credentials and OAuth tokens. The operation abused MikroTik and TP-Link routers, then funneled authentication traffic through attacker-controlled VPS nodes for adversary-in-the-middle (AitM) collection. At its peak in December 2025, it infected 18,000 devices across 120 countries and targeted government, law enforcement, IT, hosting, and self-hosted server operators.

Related Happenings

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Open Happening

Brazilian ISP botnet DDoS campaign

Campaign
First: 30.04.2026 17:04 Last: 30.04.2026 17:04 Sources 1

About this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...

Open Happening

China-nexus hijacked-device proxy network campaign

Campaign
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

Operation PowerOff DDoS-for-hire takedown

Law Enforcement
First: 17.04.2026 09:40 Last: 17.04.2026 09:40 Sources 1

About this happening: Europol and partners in 21 countries carried out Operation PowerOff, disrupting a DDoS-for-hire/booter-service ecosystem. The coordinated action took down 53 domains, seized infra...

Latest development: 17.04.2026 14:30

Europol-led Operation PowerOff involved police and cybersecurity agencies from 21 countries and disrupted DDoS-for-hire infrastructure by taking down 53 domains, seizing databases linked to over three million criminal user accounts, removing over 100 advertising URLs, and arresting four people suspected of providing DDoS-for-hire services.

Open Happening

Timeline

  1. 07.04.2026 18:51 2 articles · 1mo ago

    FrostArmada disruption and router DNS hijack disclosure

    Initial Disclosure

    Law enforcement and private-sector partners disrupted FrostArmada, an APT28 campaign that compromised internet-exposed MikroTik and TP-Link routers, rewrote DNS settings to attacker-controlled VPS resolvers, and used adversary-in-the-middle proxies to steal Microsoft logins and OAuth tokens. The campaign targeted Microsoft 365-related domains and had reached 18,000 infected devices across 120 countries at its December 2025 peak before the offending infrastructure was taken offline.

    Show sources
    Open in new tab