Forest Blizzard DNS hijacking token-theft campaign against older routers
Campaign
Summary
Hide ▲
Show ▼
Russia-backed Forest Blizzard is running a DNS hijacking campaign against older routers to steal Microsoft Office authentication tokens, putting accounts at risk across more than 18,000 networks. The activity affected more than 200 organizations and 5,000 consumer devices, with the highest volume in December 2025. By changing router DNS settings to attacker-controlled servers, the operators could intercept OAuth tokens after login and multi-factor authentication. That approach enabled account access without deploying malware on the routers or phoning credentials one by one.
Related Happenings
AryStinger legacy-router and QNAP NAS reconnaissance campaign
Campaign
H score72
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
CampaignAbout this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger botnet turns outdated routers into proxy executors
Malware Activity
H score60
First: 21.06.2026 17:14
Last: 21.06.2026 17:14
Sources 1
About this happening:
The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
AryStinger botnet turns outdated routers into proxy executors
Malware ActivityAbout this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
H score46
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
H score32
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
China-nexus hijacked-device proxy network campaign
Campaign
H score43
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
Timeline
-
07.04.2026 20:02 2 articles · 3mo ago
Forest Blizzard DNS hijacking campaign against Microsoft Office users disclosed
Initial DisclosureMicrosoft and Black Lotus Labs described a Russia-backed Forest Blizzard operation, also known as APT28, Fancy Bear, and GRU-linked activity, that used known flaws in older Mikrotik and TP-Link SOHO routers to rewrite DNS settings, route users to attacker-controlled servers, and intercept Microsoft Office OAuth authentication tokens after login and multi-factor authentication across more than 18,000 networks, more than 200 organizations, and 5,000 consumer devices.
Show sources
- Russia Hacked Routers to Steal Microsoft Office Tokens — krebsonsecurity.com — 07.04.2026 20:02
- Russia Hacked Routers to Steal Microsoft Office Tokens — krebsonsecurity.com — 07.04.2026 20:02