Heard of fileless malware? How about malwareless cyber espionage? Russia’s APT28 is spying on global organizations by modifying just one DNS setting in vulnerable routers.
A Russian state-backed cyber espionage group has been conducting a large-scale global surveillance campaign by exploiting outdated vulnerabilities in small office and home office (SOHO) routers, impacting organizations across multiple continents. The campaign, attributed to APT28 – also known as Fancy Bear or Forest Blizzard – and its subgroup Storm-2754, has targeted government agencies, law enforcement bodies, and critical infrastructure entities in regions including North Africa, Central America, Southeast Asia, Europe, and the United States.
Unlike traditional espionage operations that rely on advanced malware or zero-day exploits, this campaign demonstrates a low-complexity yet highly effective approach. By leveraging known vulnerabilities in widely used routers such as MikroTik and TP-Link, the group has been able to intercept internet traffic and gain unauthorized access to sensitive communications. The attackers reconfigured compromised devices to route traffic through malicious virtual private servers (VPS), enabling continuous monitoring and credential theft.
The scale of the operation is significant. At its peak in December 2025, approximately 18,000 unique IP addresses across more than 120 countries were found communicating with attacker-controlled infrastructure. In addition, over 200 organizations and thousands of consumer devices were reportedly affected, highlighting the widespread nature of the threat.
The primary objective of the campaign has been to gain access to email accounts and web-based services. By manipulating Domain Name System (DNS) settings on compromised routers, the attackers redirected user traffic through their own infrastructure. This allowed them to intercept login credentials, particularly for services such as webmail platforms, without deploying traditional malware, making detection significantly more difficult.
On April 7, the US Department of Justice announced a coordinated disruption effort, named “Operation Masquerade,” aimed at countering the impact of the campaign within the United States. The operation focused on mitigating threats to military, government, and critical infrastructure organizations that had been targeted through compromised network devices.
The campaign is believed to have been active since at least 2024, with activity continuing through 2025. Its persistence underscores the ongoing risk posed by unpatched and internet-exposed devices, particularly in environments where legacy hardware remains in use.
The use of SOHO routers in sensitive environments has raised concerns about security practices and infrastructure resilience. These devices, often chosen for their affordability and accessibility, typically lack advanced monitoring capabilities and are not always regularly updated, making them attractive entry points for threat actors.
The incident also highlights broader concerns around the security of the Domain Name System (DNS), a foundational component of internet infrastructure. By manipulating DNS configurations, attackers can silently redirect traffic without users’ awareness, effectively undermining trust in core internet services.
APT28 has a long history of cyber espionage activities, including high-profile operations targeting political and governmental entities. This latest campaign reflects a strategic evolution in tactics, focusing on exploiting overlooked infrastructure weaknesses to achieve persistent access to sensitive data.
As global cyber threats continue to evolve, the incident underscores the importance of proactive cybersecurity measures, including regular patching, network monitoring, and secure configuration of edge devices. It also reinforces the need for organizations to reassess their reliance on legacy systems and strengthen defenses against increasingly unconventional attack methods.
Recommended Cyber Technology News :
- DGSN, AMDIE Partner to Boost Investment Security Morocco
- Teleport Named Among Leading Cybersecurity Firms in Cyber 66
- VMRay Becomes Member of Microsoft Security Association
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
