APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
Summary
Hide ▲
Show ▼
APT28 is running two malicious campaigns that abuse vulnerable SOHO routers and attacker-controlled DNS/VPS infrastructure to reroute traffic and steal credentials. The operation creates AitM risk for targeted organizations by sending browser sessions and other connections through malicious servers. The activity has been observed since 2024 and, in related infrastructure, since at least August 2025.
Cases
Related Happenings
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor Meta
First: 22.05.2026 11:50
Last: 22.05.2026 11:50
Sources 1
About this happening:
The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor MetaAbout this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Iranian hackers' ATG cyberattack campaign
Campaign
First: 18.05.2026 18:41
Last: 18.05.2026 18:41
Sources 1
About this happening:
Iranian threat groups launched a **barrage of cyberattacks** after the conflict began, broadening pressure on **US gas-station fuel-monitoring systems** and signaling continued ri...
Iranian hackers' ATG cyberattack campaign
CampaignAbout this happening: Iranian threat groups launched a **barrage of cyberattacks** after the conflict began, broadening pressure on **US gas-station fuel-monitoring systems** and signaling continued ri...
Brazilian ISP botnet DDoS campaign
Campaign
First: 30.04.2026 17:04
Last: 30.04.2026 17:04
Sources 1
About this happening:
The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
Brazilian ISP botnet DDoS campaign
CampaignAbout this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 23.04.2026 23:52
Last: 23.04.2026 23:52
Sources 1
About this happening:
**China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus hijacked-device proxy network campaign
Campaign
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
Timeline
-
08.04.2026 13:03 1 articles · 1mo ago
FBI and DoJ neutralize APT28 router DNS hijacking network
Mitigation Patch UpdateOn April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
Show sources
- US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers — www.infosecurity-magazine.com — 08.04.2026 13:03
-
07.04.2026 18:30 1 articles · 1mo ago
APT28 router DNS hijacking warning
Initial DisclosureOn April 7, 2026, the UK’s National Cyber Security Centre (NCSC) warned that APT28 was abusing vulnerable internet routers and compromised SOHO routers, including TP-Link WR841N devices, by changing DHCP DNS settings to actor-owned IP addresses and routing requests through attacker-controlled VPS/DNS servers. The advisory said the infrastructure linked to both campaigns had been actively modified by APT28 since 2024, and Microsoft Threat Intelligence separately said APT28 and Storm-2754 had been compromising VPS servers to exploit SOHO routers since at least August 2025. The setup enabled adversary-in-the-middle (AitM) interception of browser sessions and desktop applications to steal passwords, OAuth tokens, and other credentials from targeted organizations.
Show sources
- Russian APT28 Hackers Hijack Routers to Steal Credentials, UK Security Agency Warns — www.infosecurity-magazine.com — 07.04.2026 18:30