Espionage Without Malware: APT28's Quiet Credential Harvest
A Russian state-backed espionage group has been stealthily intercepting internet traffic from high-value organizations around the globe for well over a year, exploiting known vulnerabilities in small office/home office (SOHO) routers. The operation, attributed to APT28 — also known as Fancy Bear or Forest Blizzard — and its subgroup Storm-2754, requires no malware, no zero-day exploits, and no sophisticated tooling. Just one modified DNS entry.
The targets are far from trivial. Victims include ministries of foreign affairs and national law-enforcement bodies across North Africa, Central America, and Southeast Asia, a national identity platform, various third-party service providers in Europe, and organizations in 23 US states. Researchers at Lumen's Black Lotus Labs and Microsoft have jointly documented the campaign, and on April 7, the US Justice Department (DoJ) announced a court-ordered disruption operation dubbed "Operation Masquerade" targeting the US-facing portion of the activity.
How the Attack Works
APT28, backed by Russia's Main Directorate of the General Staff of the Armed Forces (GRU), has been exploiting known vulnerabilities in internet-exposed edge devices — primarily MikroTik and TP-Link routers, with some cases involving firewall products from Nethesis and Fortinet. Once inside, the attackers make a single, subtle change: they modify the device's Domain Name System (DNS) settings to route traffic through malicious virtual private servers (VPS) under their control.
When a user on the compromised network visits a site of interest to APT28 — such as Microsoft Outlook on the Web — their request passes through the attacker's infrastructure, which proxies it and silently strips out credentials in transit.
One specific vulnerability actively scanned for in this campaign is CVE-2023-50224, a medium-severity information disclosure flaw affecting TP-Link routers that requires no authentication to exploit. This three-year-old bug allowed APT28 to remotely access router administration interfaces and reconfigure DNS settings at will.
No Malware, No Trace
Danny Adamitis, principal information security engineer at Black Lotus Labs, highlighted the near-invisible nature of this attack vector when speaking to Dark Reading.
"One of the things that piqued my interest: there is no malware. If you were to have your router getting logged into, even if you were to hypothetically scan it all with an endpoint detection and response (EDR) tool or upload everything to VirusTotal, there is nothing there. The only thing they're doing is modifying just one entry of your DNS settings, to route traffic to a server that they control and administrate."
This approach effectively renders traditional endpoint-based detection useless. There are no malicious binaries, no anomalous processes — only a quietly redirected DNS query pointing to infrastructure the attackers own.
Scale and Timeline
The campaign's scope is substantial. At its peak in December 2025, Black Lotus Labs identified 18,000 unique IP addresses across at least 120 countries communicating with the attackers' infrastructure. Microsoft identified more than 200 impacted organizations and more than 5,000 consumer devices.
Researchers differ slightly on the campaign's start date. Microsoft places its origin at least as far back as August 2025. Black Lotus Labs cites May 2025, when it identified a compromised router associated with the government of Afghanistan. The DoJ's Operation Masquerade press release, meanwhile, suggests it dates to "at least 2024."
The timing of the campaign's intensification is notable. On August 6, 2025, the United Kingdom's National Cyber Security Centre (NCSC) published a report titled "Authentic Antics," detailing an APT28 malware tool designed to steal Microsoft Office credentials and tokens. The very next day, August 7, APT28 pivoted. With its prior tactics, techniques, and procedures (TTPs) now publicly exposed, the group shifted decisively to its SOHO router campaign — demonstrating remarkable operational agility.
Why SOHO Routers Make Ideal Targets
Ryan English, information security engineer at Lumen Technologies, acknowledged the somewhat surprising nature of high-profile government entities relying on SOHO-grade network equipment.
"It seems odd that some of these governments that were targets would be using small office/home office routers. But it's a question of economics, convenience, and access. Some governments might make the choice to use this because it works perfectly well. But you can't inspect the logs on a lot of these SOHO routers. Some of them are not easy to manually update whenever there's patching needed. So they're vulnerable as sort of a condition of their existence."
English recommends that organizations move away from SOHO routers where possible, though he recognizes the practical and financial constraints that make them so widely deployed.
The Deeper Problem: DNS as an Unaccountable Attack Surface
For Adamitis, the router vulnerabilities are only the surface-level issue. The more intractable problem, he argues, is the fundamental lack of accountability in the Domain Name System itself — a system that APT28 has repeatedly targeted.
He draws a comparison to navigation: when using Google Maps, users trust the directions presented without independently verifying the underlying route data. DNS works the same way — users simply trust it to resolve the correct server address. When an attacker modifies that system at the back end, users have no way of knowing their traffic is being redirected.
"There is no equivalent for the DNS space. DNS by its nature is a decentralized system that no one's really accountable for. And because no one's really accountable for it, [when something goes wrong], you end up with the Spider-Man meme, where everyone points to each other and goes, 'No, it's their fault.' It truly is, in my mind, the Wild West."
What Organizations Can Do
While the DNS accountability problem remains systemic and unresolved, Adamitis notes that the router side of this equation is more manageable. Basic cyber hygiene — regular patching, firmware updates, and network monitoring — can meaningfully reduce exposure. Organizations that lack the in-house resources to maintain their router infrastructure can engage managed service providers to do it on their behalf.
- Replace or upgrade end-of-life and unpatched SOHO routers, particularly MikroTik and TP-Link devices
- Apply patches for known vulnerabilities, including CVE-2023-50224
- Monitor DNS configuration changes on all network devices
- Audit traffic flows for unexpected routing through unfamiliar VPS infrastructure
- Consider DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) implementations to reduce tampering exposure
The DoJ Responds
The US Justice Department's Operation Masquerade, announced on April 7, represents a court-authorized effort to disrupt the portion of APT28's campaign affecting US targets. The DoJ confirmed that military, government, and critical infrastructure organizations had been compromised through the Trojanized routers. However, as the global scope of this campaign makes clear, the threat extends well beyond US borders and remains active.
APT28's long-standing focus on email access — dating back to its high-profile operations around the 2016 US election — continues to define its strategic objectives. What has changed is the methodology: rather than deploying detectable malware, the group has found that silently poisoning DNS on overlooked edge devices is quieter, cheaper, and arguably just as effective.
Source: Dark Reading