THE Russia-linked threat actor APT28 (aka Forest Blizzard) has been linked to a global campaign exploiting insecure MikroTik and TP-Link routers to transform them into malicious infrastructure as part of a FrostArmada operation that began at least in May 2025. The campaign, described by Lumen’s Black Lotus Labs and Microsoft, uses DNS hijacking to redirect traffic and enable passive collection of network data, with AITM attacks targeting TLS connections once traffic is redirected.
At its peak in December 2025, more than 18,000 unique IP addresses from no fewer than 120 countries were observed communicating with APT28 infrastructure, primarily affecting government agencies and third-party email and cloud service providers across multiple regions. The Microsoft Threat Intelligence team attributed the activity to APT28 and its sub-group Storm-2754, noting more than 200 organisations and 5,000 consumer devices were impacted by the threat actor’s DNS infrastructure.
The operation has been disrupted and taken offline in a joint effort with the U.S. Department of Justice, FBI and international partners, while the UK’s National Cyber Security Centre described the DNS hijacking as opportunistic, with the actor seeking large pools of candidate victims. The report also notes TP-Link WR841N routers were exploited for DNS poisoning, likely using CVE-2023-50224 (CVSS 6.5) to extract stored credentials via crafted HTTP GET requests.