Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A Global Effort to Combat APT28's DNS Hijacking Campaign: FrostArmada


Authorities have disrupted a global campaign of DNS hijacking used by APT28 to steal Microsoft 365 logins in an operation dubbed FrostArmada. Researchers from Black Lotus Labs report that the attackers compromised mainly small office/home office (SOHO) routers and altered their DNS settings to point to virtual private servers under control, allowing them to intercept authentication traffic and steal sensitive credentials.

  • Authorities and private companies collaborated to disrupt APT28's (Fancy Bear) DNS hijacking campaign.
  • Around 18,000 devices in 120 countries were infected with malware, primarily targeting government agencies and organizations operating their own servers.
  • The attackers exploited vulnerabilities in internet-exposed routers from MikroTik, TP-Link, and Fortinet to gain access to internal devices via DNS configuration changes.
  • Victims may not have noticed any issue until clicking on a warning for an invalid TLS certificate, which actually allowed the attackers to intercept their unencrypted internet communication.
  • The attackers published indicators of compromise (IoCs) for the VPS servers used during the campaign, providing valuable resources for defenders to identify and prevent similar attacks.



    • In a significant breakthrough, authorities and private companies have collaborated to disrupt an international campaign of DNS hijacking used by the Russian threat group APT28 (also known as Fancy Bear, Sofacy, Forest Blizzard, Strontium, Storm-2754, and Sednit) to steal Microsoft 365 logins. The operation, code-named FrostArmada, involved the compromise of mainly small office/home office (SOHO) routers, which were altered to point to virtual private servers under the control of APT28, allowing the group to intercept authentication traffic and steal sensitive credentials.

    The FrostArmada campaign is believed to have been launched in December 2025, with the attackers infecting approximately 18,000 devices across 120 countries, primarily targeting government agencies, law enforcement, IT and hosting providers, and organizations operating their own servers. The group's modus operandi involved exploiting vulnerabilities in internet-exposed routers, mainly from MikroTik and TP-Link, as well as some older Fortinet models. Once compromised, these devices communicated with the attackers' infrastructure and received DNS configuration changes that redirected traffic to malicious virtual private servers (VPS) nodes.

    The new DNS settings were automatically pushed to internal devices via the Dynamic Host Configuration Protocol (DHCP), ensuring that even users who did not actively visit affected websites could still be intercepted by the attackers. The only visible sign of fraud for the victim would have been a warning for an invalid TLS certificate, which could have easily been dismissed.

    However, ignoring this alert gave the threat actor access to the victim's unencrypted internet communication. According to researchers from Black Lotus Labs, "The actor essentially ran a proxy service as the AitM that the end user was directed to via DNS." This meant that even if users clicked through the warning or ignored it altogether, their requests were still being proxied to the legitimate services by the attackers, allowing them to collect data associated with the targeted account and stealing sensitive credentials.

    In some cases, the hackers spoofed DNS responses for certain domains, thus forcing affected endpoints to connect to the attack infrastructure. This behavior was observed in a subset of attacks that appeared to be opportunistic in nature, aiming to build a large pool of potential targets before filtering those of interest.

    Researchers from Black Lotus Labs have published a small set of indicators of compromise (IoCs) for the VPS servers used during the FrostArmada campaign. These include IP addresses and timestamps corresponding to when these servers were first seen and last seen in operation.

    The researchers recommend that defenders implement certificate pinning for corporate devices controlled via an MDM solution, which would generate an error when the attacker tries to intercept and analyze traffic on their VPS infrastructure. They also suggest minimizing the attack surface by patching vulnerable devices, limiting exposure on the public web, and removing all end-of-life equipment.

    The disruption of the FrostArmada campaign is a significant victory for law enforcement authorities and private companies collaborating to combat the growing threat of APT28. The involvement of Microsoft and the UK's National Cyber Security Centre (NCSC) in identifying and mitigating this attack demonstrates a concerted effort to protect users against such threats.

    In addition, the publication of IoCs and protection guidance by these organizations provides valuable resources for defenders to identify and prevent DNS hijacking attacks like FrostArmada. As the threat landscape continues to evolve, it is essential that individuals and organizations remain vigilant and take proactive steps to protect themselves against sophisticated cyber threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Global-Effort-to-Combat-APT28s-DNS-Hijacking-Campaign-FrostArmada-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/authorities-disrupt-dns-hijacks-used-to-steal-microsoft-365-logins/

  • https://attack.mitre.org/groups/G0007/

  • https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps

  • https://en.wikipedia.org/wiki/Fancy_Bear

  • https://hackers-arise.com/who-is-fancy-bear-apt28-and-what-do-they-do/

  • https://cyble.com/threat-actor-profiles/sofacy/

  • https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/

  • https://nquiringminds.com/cybernews/russian-apt-group-forest-blizzard-exploiting-vulnerabilities-to-target-government-energy-and-transportation-organizations-in-us-europe-and-middle-east/

  • https://www.infosecurity-magazine.com/news/russia-apt28-hijack-routers-uk-ncsc/

  • https://breach-hq.com/threat-actors

  • https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/

  • https://www.tomsguide.com/computing/online-security/massive-mikrotik-router-botnet-has-been-spreading-malware-heres-how-to-stay-safe

  • https://www.tomsguide.com/computing/online-security/these-three-tp-link-routers-are-being-targeted-by-hackers-heres-what-to-know

  • https://www.fortinet.com/resources/cyberglossary/advanced-persistent-threat

  • https://www.infosecurity-magazine.com/news/hacking-group-leaks-config-15k/

  • https://cyberscoop.com/turla-infiltrates-pakistani-apt-networks-microsoft-lumen/

  • https://thehackernews.com/2024/12/russia-linked-turla-exploits-pakistani.html


    • Published: Tue Apr 7 12:08:07 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us