Find notable cyber news and cases, enriched with sources, timelines, and signals.

APT28 FrostArmada DNS hijacking and AitM credential theft campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

A multinational disruption effort has taken down FrostArmada, an APT28 campaign that hijacked router DNS settings to steal Microsoft account credentials and OAuth tokens. The operation abused MikroTik and TP-Link routers, then funneled authentication traffic through attacker-controlled VPS nodes for adversary-in-the-middle (AitM) collection. At its peak in December 2025, it infected 18,000 devices across 120 countries and targeted government, law enforcement, IT, hosting, and self-hosted server operators.

Related Happenings

Operation Endgame takedown of SocGholish and Evil Corp infrastructure

Law Enforcement
H score58 First: 18.06.2026 16:25 Last: 18.06.2026 16:25 Sources 1

About this happening: **International law enforcement** disrupted **SocGholish/FakeUpdates** infrastructure in **Operation Endgame** on **June 18**, cleaning **14,971 compromised WordPress websites** a...

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
H score28 First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Brazilian ISP botnet DDoS campaign

Campaign
H score36 First: 30.04.2026 17:04 Last: 30.04.2026 17:04 Sources 1

About this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...

China-nexus hijacked-device proxy network campaign

Campaign
H score43 First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
H score27 First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Timeline

  1. 07.04.2026 18:51 2 articles · 3mo ago

    FrostArmada disruption and router DNS hijack disclosure

    Initial Disclosure

    Law enforcement and private-sector partners disrupted FrostArmada, an APT28 campaign that compromised internet-exposed MikroTik and TP-Link routers, rewrote DNS settings to attacker-controlled VPS resolvers, and used adversary-in-the-middle proxies to steal Microsoft logins and OAuth tokens. The campaign targeted Microsoft 365-related domains and had reached 18,000 infected devices across 120 countries at its December 2025 peak before the offending infrastructure was taken offline.

    Show sources