Critical Threat Research : The Iranian Cyber War Intensifies! 
Comprehensive Threat Exposure Management Platform
APT28, the Russian state-sponsored threat group operating under GRU Military Intelligence Unit 26165, conducted a large-scale DNS hijacking campaign dubbed Operation FrostArmada by compromising small office and home office routers to build distributed credential theft infrastructure. This sophisticated cyber espionage operation began in May 2025, escalated significantly by August, and reached peak activity in December 2025, at which point over 18,000 unique IP addresses across more than 120 countries were communicating with attacker-controlled infrastructure, impacting an estimated 200+ organizations and 5,000 consumer devices.
The attack campaign targeted SOHO routers, primarily MikroTik and TP-Link devices, exploiting known vulnerabilities including CVE-2023-50224, an authentication bypass flaw affecting TP-Link WR841N routers that allowed credential extraction through crafted HTTP requests. Once APT28 gained remote administrative access to vulnerable routers, they systematically reconfigured DHCP and DNS settings to redirect all network DNS queries to malicious virtual private servers acting as adversary-controlled DNS resolvers. These poisoned DNS configurations were automatically propagated to every downstream device on local networks via DHCP, meaning end users required no interaction to become victims of the DNS hijacking operation.
The DNS hijacking infrastructure enabled APT28 to conduct large-scale adversary-in-the-middle attacks against TLS-encrypted connections. When users on compromised networks attempted to access targeted domains, particularly web-based email portals including Microsoft 365, Outlook on the Web, and other authentication services, the malicious DNS servers resolved those legitimate domain names to attacker-controlled interception nodes. At these adversary-in-the-middle positions, APT28 harvested usernames, passwords, OAuth authentication tokens, and email content in real time despite TLS encryption, as users were unknowingly connecting to attacker infrastructure that presented fraudulent TLS certificates.
The operation demonstrated sophisticated organizational structure with two distinct operational clusters. An expansion team focused exclusively on compromising new router devices and growing the botnet infrastructure, conducting mass scanning operations to identify vulnerable SOHO routers accessible via internet-facing administration interfaces. A separate credential interception team operated the malicious DNS resolver infrastructure and adversary-in-the-middle nodes, focusing on harvesting intelligence from high-value targets identified through the broad initial compromise base.
APT28’s targeting strategy was opportunistic initially but became progressively filtered toward intelligence priorities. The campaign cast a wide net across government agencies, ministries of foreign affairs, law enforcement bodies, critical infrastructure organizations, information technology and telecommunications sectors, energy companies, and third-party email and cloud service providers. Geographic targeting concentrated on North Africa, Central America, Southeast Asia, Europe, Ukraine, and the United States. This broad initial compromise allowed APT28 to identify high-value intelligence targets and progressively narrow focus at each successive stage of the exploitation chain.
The technical sophistication of FrostArmada included minimal visibility for end users, as the only indication of compromise was invalid TLS certificate warnings that most users dismiss routinely. The campaign required no malware deployment on endpoint devices, instead leveraging legitimate network infrastructure components that are typically outside the scope of endpoint detection and response solutions. This infrastructure-based approach provided APT28 with persistent access to credentials and communications across thousands of victim networks simultaneously.
An international law enforcement operation designated Operation Masquerade successfully disrupted the FrostArmada campaign. Authorities executed court-authorized technical operations to remotely reset DNS configurations on compromised routers, restoring them to legitimate DNS resolvers and severing connections to APT28’s malicious infrastructure. However, the campaign’s success highlights fundamental vulnerabilities in SOHO router security, including prevalence of end-of-life devices, slow firmware update adoption, publicly exposed administration interfaces, and weak default credentials.
APT28, also tracked under numerous aliases including Sofacy, Fancy Bear, Forest Blizzard, and Strontium, operates as a component of Russia’s GRU Military Intelligence Unit 26165 and has been conducting cyber espionage operations targeting Western governments, military organizations, and critical infrastructure since at least 2007. The group has been publicly attributed to numerous high-profile operations including the 2016 Democratic National Committee compromise, attacks against Ukrainian critical infrastructure, and sustained campaigns against NATO member states and partner nations.
Operation FrostArmada represents an evolution in APT28’s operational methodology, shifting from targeted endpoint compromise and spear-phishing campaigns toward large-scale infrastructure compromise enabling passive credential harvesting across thousands of victim networks simultaneously. This campaign designation was assigned by security researchers tracking the operation’s distinct infrastructure patterns, targeting methodology, and technical characteristics that differentiate it from concurrent APT28 operations.
The campaign timeline began with limited reconnaissance and proof-of-concept activity observed in May 2025, followed by significant escalation in August 2025 as APT28 began mass exploitation of vulnerable SOHO routers. December 2025 marked peak operational activity, with telemetry indicating over 18,000 unique IP addresses communicating with identified APT28 DNS resolver infrastructure across more than 120 countries worldwide. This scale represents one of the largest state-sponsored router compromise campaigns publicly disclosed.
APT28’s initial access vector targeted internet-facing administrative interfaces on SOHO routers, exploiting a combination of known vulnerabilities, weak default credentials, and outdated firmware versions. The primary technical vulnerability exploited was CVE-2023-50224, an authentication bypass flaw affecting TP-Link TL-WR841N routers. This vulnerability allowed remote attackers to extract administrative credentials through specially crafted HTTP requests without prior authentication, providing immediate administrative access to affected devices.
Beyond CVE-2023-50224, the campaign also targeted MikroTik routers and other TP-Link models through previously disclosed vulnerabilities and credential-based attacks. APT28 conducted mass internet scanning operations to identify routers with publicly accessible web administration interfaces, then attempted exploitation using automated tooling that tested known vulnerabilities and common default credentials. This opportunistic mass scanning approach allowed rapid compromise of large numbers of devices across diverse geographic regions and network environments.
Once administrative access was obtained, APT28 performed systematic configuration changes targeting DHCP and DNS settings. The attackers reconfigured the primary and secondary DNS resolver addresses within router DHCP server configurations to point exclusively to APT28-controlled virtual private servers. These malicious VPS systems ran custom DNS resolver software, identified through service fingerprinting as dnsmasq version 2.85 running on UDP port 53, with SSH administrative access available on non-standard ports including TCP 56777 and TCP 35681.
The reconfigured DNS settings were automatically distributed to all downstream devices on the compromised network through normal DHCP lease processes. When devices renewed DHCP leases or new devices joined the network, they automatically received the poisoned DNS resolver addresses without any user interaction or warning. This automatic propagation mechanism ensured comprehensive coverage across all devices within victim networks, including workstations, mobile devices, IoT devices, and servers that relied on DHCP for network configuration.
The heart of Operation FrostArmada was APT28’s malicious DNS resolver infrastructure, which selectively returned fraudulent DNS responses for targeted domains while resolving most queries legitimately to avoid detection. The attacker-controlled DNS servers maintained lists of high-value target domains associated with web-based email services, authentication portals, and cloud applications. When compromised devices queried these targeted domains, the malicious resolvers returned IP addresses pointing to APT28-controlled adversary-in-the-middle nodes instead of legitimate service infrastructure.
Targeted domains identified in the campaign included multiple Microsoft services and email platforms using spoofed domain names designed to closely resemble legitimate Microsoft infrastructure. Malicious domains observed in the campaign included autodiscover-s[.]outlook[.]com, imap-mail[.]outlook[.]com, outlook[.]live[.]com, outlook[.]office[.]com, and outlook[.]office365[.]com. These typosquatted and look-alike domains enabled APT28 to register fraudulent TLS certificates that appeared superficially legitimate to users who did not carefully inspect certificate details.
For the vast majority of DNS queries unrelated to intelligence targets, the malicious resolvers functioned identically to legitimate DNS infrastructure, correctly resolving domain names and forwarding queries to authoritative name servers. This selective poisoning approach significantly reduced detection risk compared to comprehensive DNS manipulation that would break applications and generate user complaints. The infrastructure demonstrated high availability and performance characteristics comparable to legitimate public DNS resolvers, further reducing suspicion.
The adversary-in-the-middle nodes receiving redirected traffic presented fraudulent TLS certificates for the targeted domains and established encrypted connections with victim clients. Most web browsers and email clients displayed certificate validation warnings indicating that the presented certificate was not issued by a trusted certificate authority or did not match the expected domain name. However, research consistently demonstrates that the majority of users dismiss these warnings and proceed with connections, particularly in corporate environments where self-signed certificates and internal certificate authorities create habituation to certificate warnings.
Once users dismissed certificate warnings and established connections to APT28’s adversary-in-the-middle infrastructure, the threat actors positioned themselves to intercept all traffic flowing between victims and targeted services. This position enabled comprehensive harvesting of authentication credentials including usernames and passwords submitted through web-based login forms, OAuth authorization codes and bearer tokens used for modern authentication workflows, session cookies enabling account access without re-authentication, and email content, attachments, and metadata flowing through compromised email sessions.
The credential harvesting operation specifically targeted web-based email services and cloud authentication portals, reflecting APT28’s intelligence collection priorities focused on government communications, diplomatic correspondence, and sensitive organizational data. Microsoft 365 and Outlook on the Web emerged as primary targets, consistent with the prevalence of Microsoft cloud services across government and enterprise environments globally. The harvested credentials provided APT28 with persistent access to email accounts, cloud storage, and organizational collaboration platforms.
APT28’s operational methodology included real-time credential testing and validation. Harvested credentials were immediately tested against legitimate service infrastructure to confirm validity before being integrated into subsequent operations. Valid credentials enabled APT28 to access victim accounts directly from non-compromised infrastructure, bypassing the DNS hijacking mechanism for sustained intelligence collection operations that continued even after router compromises were remediated.
The intelligence value of this operation extended beyond immediate credential theft. Email content harvested during compromised sessions provided insights into organizational relationships, operational planning, strategic priorities, and personnel information valuable for subsequent targeting operations. OAuth tokens provided extended access to cloud services without requiring password re-entry. The passive nature of the harvesting operation meant victims had no indication their credentials had been compromised until unusual account activity was detected or law enforcement notification occurred.
APT28 structured Operation FrostArmada into two distinct operational clusters with specialized responsibilities. The expansion cluster focused exclusively on router compromise operations, conducting internet-wide scanning to identify vulnerable devices, executing exploitation against identified targets, and maintaining persistence on compromised infrastructure. This team operated the botnet management infrastructure and ensured continued access to compromised routers even as victims applied patches or changed credentials.
The credential interception cluster managed the malicious DNS resolver infrastructure and adversary-in-the-middle nodes. This team maintained the lists of targeted domains, managed fraudulent TLS certificates, operated the interception nodes harvesting credentials, and performed credential validation and intelligence triage. The separation of expansion and exploitation functions allowed operational specialization and compartmentalization, reducing risk that compromise of one cluster would expose the other.
This organizational structure enabled APT28 to rapidly scale the operation while maintaining operational security. The expansion cluster could aggressively pursue router compromises without concern for intelligence burn, as compromised routers represented replaceable infrastructure assets. The credential interception cluster focused exclusively on high-value targets identified through the broad compromise base, applying selective targeting to maximize intelligence value while minimizing detection risk from widespread suspicious activity.
International law enforcement agencies conducted a coordinated disruption operation designated Operation Masquerade, executing court-authorized technical operations to remediate compromised routers without requiring individual victim notification or manual remediation. The operation remotely accessed compromised routers using the same vulnerabilities and administrative access methods employed by APT28, then reconfigured DNS settings to restore legitimate resolver addresses and remove APT28’s persistence mechanisms.
This remote remediation approach enabled rapid restoration of thousands of compromised devices that would have been impractical to address through traditional victim notification and manual patching procedures. Many SOHO router operators lack technical expertise to identify and remediate compromises, and end-of-life devices cannot be patched regardless of user action. The court-authorized remote access and remediation represented a novel approach to large-scale botnet disruption previously employed in operations against botnets including VPNFilter and Cyclops Blink.
Organizations and home users must immediately audit DNS configurations on all SOHO routers across their networks. Security teams should verify that primary and secondary DNS resolver addresses point exclusively to legitimate servers provided by the organization’s ISP or trusted public DNS providers including Google Public DNS, Cloudflare DNS, or Quad9. Establish documented baseline DNS configurations and implement monitoring to detect unauthorized changes to DHCP and DNS settings. Regular audits should verify that router configurations match approved baselines and investigate any deviations as potential security incidents.
All MikroTik, TP-Link, and other edge network devices must be updated to the latest firmware versions to remediate known vulnerabilities including CVE-2023-50224. Organizations should establish comprehensive inventories of all network edge devices including SOHO routers, small business firewalls, and access points, tracking firmware versions and patch status. Any devices that have reached end-of-life and no longer receive security updates must be immediately decommissioned and replaced with currently supported models, as these devices represent permanent exploitable entry points that cannot be secured through patching.
Organizations with mobile device management solutions should deploy certificate pinning policies for all corporate laptops, phones, and tablets. Certificate pinning ensures that managed devices will only accept TLS certificates from specified trusted certificate authorities for designated domains, preventing adversary-in-the-middle attacks even when DNS has been compromised. When APT28’s infrastructure attempts to intercept TLS connections using fraudulent certificates, pinned devices will reject the connection entirely rather than displaying dismissible certificate warnings, providing robust protection against this attack vector.
All remote management interfaces on routers and firewalls must be disabled unless absolutely necessary for legitimate administrative purposes. Where remote access is required for operational needs, organizations must enforce strong authentication mechanisms including complex passwords, certificate-based authentication, or multi-factor authentication. Access should be restricted to trusted IP address ranges using firewall rules, and remote administration should be conducted exclusively through VPN tunnels rather than directly exposed internet interfaces. Publicly exposed administrative panels represent the primary attack vector APT28 exploited for mass router compromise.
Organizations should deploy comprehensive DNS logging and monitoring across enterprise networks to detect unusual query patterns, unexpected resolver changes, or traffic flowing to unfamiliar IP addresses. Security information and event management systems should be configured with correlation rules detecting DNS queries to typosquatted domains resembling legitimate services, unexpected changes to endpoint DNS resolver configurations, and DNS traffic directed to IP addresses outside expected ranges. Maintain blocklists of known malicious domains and IP addresses published in threat intelligence feeds and indicators of compromise from this campaign, integrating DNS telemetry into security operations workflows for real-time alerting on suspicious patterns.
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1583: Acquire Infrastructure
T1588: Obtain Capabilities
T1586: Compromise Accounts
T1528: Steal Application Access Token
T1556: Modify Authentication Process
T1557: Adversary-in-the-Middle
T1584: Compromise Infrastructure
T1595: Active Scanning
T1071: Application Layer Protocol
T1036: Masquerading
(Due to the extensive list of over 150 IP addresses, I’m providing a representative sample. The full list is available in the PDF document.)
Primary IP Ranges:
References
Get through updates and upcoming events, and more directly in your inbox