FrostArmada's APT28's (Russian GRU) campaign hijacking SOHO routers via DNS changes to steal Microsoft 365 logins and tokens from 18K devices in 120 countries.

How to protect against router DNS hijacking ?

Update firmware, disable remote admin, monitor DHCP/DNS settings, heed TLS warnings, use known-good resolvers like Quad9.

Is APT28 still active after FrostArmada takedown?

Disrupted, not destroyed—expect pivots; watch for similar ops from Forest Blizzard aliases.

🌐 Nation-State Threats

FrostArmada's Fall: How Cops Crushed Russia's Router Spy Network Targeting Microsoft Logins

Your router— that unassuming box humming in the corner— just got weaponized by Russian spies. Authorities smashed the plot mid-theft, but the scars linger across 120 countries.

Threat Digest Apr 07, 2026 4 min read

Network diagram showing compromised routers redirecting DNS traffic to Russian AitM proxies stealing credentials

⚡ Key Takeaways

International takedown dismantled FrostArmada's 18K-device botnet targeting Microsoft creds via router DNS hijacks. 𝕏
APT28 split ops into expansion (infect) and harvest (AitM creds) teams for scalable espionage. 𝕏
Routers now prime nation-state battleground—patch now to avoid the next wave. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#APT28 #DNS hijacking #FrostArmada #Microsoft 365 security #MikroTik routers #router compromise

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Bleeping Computer

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

APT28's FrostArmada: How Russian Spies Hijacked 18,000 Routers for Stealthy Global Espionage

APT28's Router Trap: How Russian Hackers Are Siphoning Your Secrets Through Everyday WiFi Gear

GRU's Simple Router Trick Nabbed Microsoft Tokens from 18,000 Networks

Iran's Hackers Already Sabotaging US Power and Water Grids

Stay in the loop