The UK’s National Cyber Security Centre (NCSC) and the US Department of Justice jointly disclosed a large-scale DNS hijacking campaign operated by Russia’s GRU Military Unit 26165 — better known as APT28 or Forest Blizzard. Tracked as FrostArmada by Lumen’s Black Lotus Labs, the operation compromised over 18,000 SOHO routers at its December 2025 peak, spanning 120 countries, to silently intercept authentication traffic and harvest Microsoft 365 credentials.

How the Attack Worked

APT28 targeted end-of-life and unpatched small office/home office routers — primarily TP-Link WR841N and various MikroTik models — exploiting known vulnerabilities to gain remote administrative access. One confirmed entry point was CVE-2023-50224 (CVSS 6.5), an authentication bypass in the TP-Link WR841N that allows extracting stored credentials via crafted HTTP GET requests.

Once inside, the attackers modified DHCP and DNS configurations to point to GRU-controlled resolver infrastructure. This is the critical piece: every device on the local network behind that router would now resolve DNS queries through attacker-owned servers.

When users on compromised networks attempted to reach Microsoft 365 services — particularly Outlook on the web and related authentication subdomains — the malicious resolvers redirected traffic to adversary-in-the-middle (AitM) nodes. These nodes proxied the legitimate login flow while capturing passwords, OAuth tokens, and session cookies in transit. The attack required zero user interaction beyond normal login behavior.

The GRU maintained a fleet of virtual private servers acting as malicious DNS resolvers, actively rotated since at least 2024. The NCSC advisory notes two distinct campaign waves, both tied to the same VPS infrastructure.

Who Was Targeted

FrostArmada’s targeting was broad but focused on high-value sectors: government agencies, law enforcement, IT and hosting providers, and organizations running self-hosted infrastructure. The campaign operated across 120 countries, making this one of the most geographically distributed router compromise operations attributed to a state actor.

The stolen OAuth tokens provided persistent access to Microsoft 365 environments without triggering password-change alerts — a particularly dangerous outcome for organizations relying on cloud email and collaboration.

FBI Disruption: Operation Masquerade

On April 7, the Department of Justice announced Operation Masquerade, a court-authorized technical operation targeting the US portion of the botnet. The FBI remotely accessed compromised routers on US soil, collected forensic evidence of GRU activity, reset DNS configurations to legitimate resolvers, and closed the unauthorized access vectors.

This follows the same legal playbook the FBI used against Volt Typhoon’s KV-botnet in January 2024 — obtaining judicial authorization to send remediation commands directly to compromised devices.

What You Should Do Right Now

If you operate SOHO routers in any capacity — home office, branch office, lab environment — act on these immediately:

Check your DNS settings. Log into your router’s admin panel and verify that DNS servers are set to known-good resolvers (your ISP, or public resolvers like 1.1.1.1, 8.8.8.8, or 9.9.9.9). If you see unfamiliar IP addresses, assume compromise.

Replace end-of-life hardware. The TP-Link WR841N and many MikroTik models targeted in this campaign are discontinued or running unsupported firmware. No amount of patching helps if the vendor has stopped shipping updates.

Update firmware immediately. If your router is still supported, apply the latest firmware. MikroTik’s RouterOS and TP-Link’s consumer firmware both have histories of lagging behind on security patches — check manually rather than relying on auto-update.

Disable remote management. Management interfaces (HTTP, SSH, Winbox) must never be exposed to the internet. If you need remote access, use a VPN.

Rotate credentials. If your network used a potentially compromised router, rotate all Microsoft 365 passwords and revoke active OAuth tokens via the Azure AD admin center. Check sign-in logs for suspicious locations or impossible-travel alerts.

Monitor for token reuse. Stolen OAuth tokens remain valid until explicitly revoked. Enable conditional access policies requiring compliant devices and enforce token lifetime limits.

Advisories and References