What is APT28 and FrostArmada?

APT28 (Forest Blizzard) is a Russian state-linked hacker group behind FrostArmada, a DNS hijacking campaign using compromised SOHO routers for credential theft since May 2025.

How to secure my home router from DNS hijacking?

Update firmware immediately, change default passwords, use secure DNS resolvers like 1.1.1.1, and monitor for unusual traffic.

Does APT28 DNS hijacking affect consumers or just governments?

It hit 5,000 consumer devices alongside 200 orgs—anyone with vulnerable MikroTik or TP-Link routers could be pivoting to bigger targets.

🌐 Nation-State Threats

APT28's FrostArmada: How Russian Spies Hijacked 18,000 Routers for Stealthy Global Espionage

Imagine your dusty home router silently funneling your login credentials to Moscow. That's APT28's FrostArmada in action—18,000 devices compromised across 120 countries.

Threat Digest Apr 07, 2026 4 min read

Global map showing compromised routers in APT28's DNS hijacking campaign

⚡ Key Takeaways

APT28 compromised 18,000+ routers across 120 countries for passive DNS hijacking and credential theft. 𝕏
SOHO devices like TP-Link and MikroTik are prime targets due to weak security and global ubiquity. 𝕏
This campaign signals a shift toward scalable, AI-potential edge device espionage in cyber warfare. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#APT28 #DNS hijacking #FrostArmada #SOHO Routers

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

FrostArmada's Fall: How Cops Crushed Russia's Router Spy Network Targeting Microsoft Logins

APT28's Router Trap: How Russian Hackers Are Siphoning Your Secrets Through Everyday WiFi Gear

GRU's Simple Router Trick Nabbed Microsoft Tokens from 18,000 Networks

Iran's Hackers Already Sabotaging US Power and Water Grids

Stay in the loop