An international law enforcement operation has dismantled FrostArmada, a campaign by Russian state-sponsored group APT28 (Fancy Bear/Forest Blizzard) that compromised SOHO routers from MikroTik and TP-Link to hijack DNS traffic and steal Microsoft 365 credentials and OAuth tokens. At its peak in December 2025, the botnet infected 18,000 devices across 120 countries, targeting government agencies, law enforcement, and IT providers. The attackers redirected DNS queries to attacker-controlled VPS nodes acting as adversary-in-the-middle proxies, intercepting authentication traffic. The operation was disrupted with support from Microsoft, Black Lotus Labs, the FBI, DOJ, and Polish government. Defenders are advised to implement certificate pinning, patch devices, and remove end-of-life equipment.
Sort: