Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

Russia-linked APT28 has launched a large-scale cyber espionage campaign since May 2025, exploiting insecure SOHO routers manufactured by MikroTik and TP-Link. The threat actors compromised router settings to establish covert malicious infrastructure for DNS hijacking operations. Organizations using these router brands should immediately audit device configurations, apply latest firmware updates, change default credentials, and monitor for unauthorized DNS changes. This campaign underscores the persistent risk posed by unpatched network edge devices and the importance of continuous monitoring of router firmware and configurations.

The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed

Russia-linked APT28 has launched a large-scale cyber espionage campaign since May 2025, exploiting insecure SOHO routers manufactured by MikroTik and TP-Link. The threat actors compromised router settings to establish covert malicious infrastructure for DNS hijacking operations. Organizations using these router brands should immediately audit device configurations, apply latest firmware updates, change default credentials, and monitor for unauthorized DNS changes. This campaign underscores the persistent risk posed by unpatched network edge devices and the importance of continuous monitoring of router firmware and configurations. The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed