Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FBI, DOJ, and Poland take FrostArmada infrastructure offline

Law Enforcement
First reported
Last updated
Happening score
H score 20
2 unique sources, 2 articles

Summary

Hide ▲

Authorities carried out a takedown of FrostArmada infrastructure, disrupting an APT28 credential-theft operation that hijacked router traffic to steal Microsoft logins. The action cut off attacker-controlled VPS nodes used as DNS resolvers and the AitM proxy layer that intercepted authentication traffic. That matters because the operation had infected 18,000 devices across 120 countries and targeted Microsoft account credentials.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Brazilian ISP botnet DDoS campaign

Campaign
First: 30.04.2026 17:04 Last: 30.04.2026 17:04 Sources 1

About this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

UNC6692 email bombing and Microsoft Teams impersonation campaign

Campaign
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....

Open Happening

GopherWhisper China-aligned APT campaign targeting Mongolian government institutions

Campaign
First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...

Open Happening

Timeline

  1. 07.04.2026 18:51 2 articles · 1mo ago

    FrostArmada infrastructure taken offline

    Legal Policy Action Update

    A coordinated law-enforcement and government-backed disruption takes FrostArmada infrastructure offline, cutting off attacker-controlled VPS nodes that APT28 used to hijack DNS on compromised routers and intercept Microsoft account credentials and OAuth tokens.

    Show sources
    Open in new tab
  2. 07.04.2026 18:51 1 articles · 1mo ago

    FrostArmada DNS-hijack campaign mechanics and scope

    Technical Analysis Update

    FrostArmada uses internet-exposed MikroTik, TP-Link, Nethesis, and older Fortinet devices to rewrite DNS settings toward attacker-controlled VPS resolvers and an adversary-in-the-middle proxy; the activity reached 18,000 devices across 120 countries and targeted Microsoft 365, Microsoft Outlook on the web, government agencies, law enforcement, IT and hosting providers, and other organizations operating their own servers.

    Show sources
    Open in new tab