APT 28, also known as Forest Blizzard, has been quietly sniffing Internet traffic from targets worldwide for more than a year by exploiting old bugs in edge devices, primarily MikroTik and TP-Link SOHO routers, and redirecting traffic through malicious VPS locations. According to researchers with Lumen's Black Lotus Labs and Microsoft, the campaign has enabled the group to sniff Web traffic and steal credentials for email and Web services on an ongoing basis.
In April 2026 the US Department of Justice announced Operation Masquerade to disrupt the DNS-hijacking network connected to this activity, with the DoJ noting that military, government and critical infrastructure organisations had been targeted. At its peak in December 2025, Black Lotus Labs identified 18,000 unique IP addresses across at least 120 countries communicating with the attackers’ infrastructure, and Microsoft reported more than 200 impacted organisations plus more than 5,000 consumer devices.
The campaign is not a new effort; researchers disagree on when it began, with Microsoft suggesting at least last August and Black Lotus Labs pointing to May 2024, while the UK’s NCSC had flagged related activity in August 2025.