RUSSIAN APT28 has been exploiting vulnerable internet routers to redirect traffic through attacker‑controlled servers and harvest credentials from targeted organisations, according to the UK government’s National Cyber Security Centre (NCSC) advisory published on 7 April 2026. The NCSC linked two new campaigns to APT28, both tied to a list of virtual private servers that have been modified since 2024 to operate as malicious DNS servers.
One campaign involved modifying DHCP DNS settings on compromised SOHO routers, mostly TP-Link models such as the WR841N, with CVE-2023-50224 helping an unauthenticated attacker obtain credentials via crafted HTTP GET requests. The attacker’s DNS hijacking then directed follow‑on requests to actor‑owned IP addresses to enable adversary‑in‑the‑middle activities aimed at stealing passwords and tokens.
A separate Microsoft Threat Intelligence report, also published on 7 April 2026, says APT28 and its sub‑group tracked as Storm‑2754 have been compromising VPS servers to exploit SOHO routers since at least August 2025, with some activity observed against MikroTik and TP-Link devices and targeted infrastructure in Ukraine.