Operation Masquerade: FBI Disrupts GRU's Global DNS Hijacking Network Built on Compromised SOHO Routers
The FBI and Department of Justice have executed a court-authorized operation to dismantle a Russian military intelligence network that hijacked thousands of consumer routers worldwide, redirecting victims' DNS traffic through GRU-controlled servers to steal credentials, authentication tokens, and emails [1]. The operation, dubbed Operation Masquerade, targeted compromised TP-Link routers across the United States by resetting their DNS configurations and blocking the GRU's means of re-entry [1]. A companion joint advisory, co-sealed by agencies from 15 partner nations, lays out the technical details of the campaign and assesses APT28 as "almost certainly" GRU Military Unit 26165 [1][2].
Separately, a joint cybersecurity advisory published on July 13, 2026 by the FBI, NSA, CISA, and international partners details a parallel campaign by Russia's Federal Security Service (FSB) Center 16, which has been exploiting poorly configured networking devices (primarily routers) using SNMP scanning and known Cisco vulnerabilities [3]. The overlap in TTPs between these GRU and FSB campaigns, and with Chinese state actors like Salt Typhoon, points to a broader strategic pattern: state intelligence services are treating SOHO and enterprise routers as a primary attack surface for building covert proxy infrastructure.
APT28: GRU's Cyber Operations Arm
APT28 goes by many names: Fancy Bear, Forest Blizzard, Pawn Storm, Sofacy, Sednit. All refer to the same unit, the GRU's 85th Main Special Service Center (GTsSS), Military Unit 26165 [1]. The group has been conducting offensive cyber operations for over a decade, with a target list that tracks closely to Moscow's geopolitical priorities: defense ministries, foreign affairs agencies, NATO member state governments, and defense contractors.
Publicly reported operations include the 2015 German Bundestag intrusion, the 2016 Democratic National Committee breach, and an April 2018 attempted attack against the Organisation for the Prohibition of Chemical Weapons (as attributed by the NCSC and the Dutch MIVD). APT28 consistently blends custom tooling with opportunistic exploitation of commodity vulnerabilities, a pattern clearly visible in this router campaign.
The coalition backing the joint advisory includes agencies from Canada, the Czech Republic, Denmark, Estonia, Finland, Germany, Italy, Latvia, Lithuania, Norway, Poland, Portugal, Romania, Slovakia, and Ukraine [1]. The UK's National Cyber Security Centre (NCSC) published a companion advisory with additional technical details [2].
FSB Center 16: A Parallel Router Exploitation Campaign
The July 13, 2026 joint advisory identifies a distinct but operationally similar campaign by Russia's FSB Center 16, targeting critical infrastructure sectors including Communications, Defense Industrial Base, Energy, Financial Services, Government Services and Facilities (particularly state and local organizations), and Healthcare and Public Health [3].
FSB Center 16 actors primarily scan internet IP ranges for devices running Simple Network Management Protocol (SNMP) agents that accept common or default community strings [3]. This is not sophisticated. It is bulk scanning for misconfigured devices, and it works because an enormous number of routers are deployed with factory-default SNMP credentials.
The advisory explicitly notes that many of these TTPs overlap with activity attributed to Salt Typhoon, the Chinese state-sponsored group [3]. The mitigations recommended apply to both Russian and Chinese exploitation of the same device categories.
How the GRU DNS Hijacking Works
The GRU campaign follows a straightforward but effective kill chain. Since at least 2024, APT28 actors exploited known vulnerabilities, including CVE-2023-50224 in TP-Link WR841N routers, to steal credentials from thousands of routers worldwide [1][2]. MikroTik routers were also targeted in a related cluster of activity [2]. Once authenticated, the actors rewrote each router's DNS configuration to point at GRU-controlled resolvers. Every device on the network behind a compromised router then inherited the poisoned DNS settings.
The GRU's approach to target selection was notably methodical. Initial compromise was indiscriminate: actors targeted routers in bulk [1]. An automated filtering process then determined which DNS requests warranted active interception [1][2]. For selected targets, the GRU resolvers returned fraudulent DNS records mimicking legitimate services, with Microsoft Outlook Web Access (OWA) being a specific example cited in court documents [1]. This enabled adversary-in-the-middle (AitM) attacks against email authentication flows.
The data harvested included unencrypted passwords, authentication tokens, emails, and other sensitive information from devices sharing the network with compromised routers [1].
FSB Center 16: SNMP-Based Router Exploitation
The FSB campaign uses a different initial access vector but achieves a similar outcome: control of victim routing infrastructure. The technique centers on SNMP Set-Requests sent from spoofed IP addresses through proxy infrastructure [3].
These requests contain Object Identifiers (OIDs) that instruct the SNMP agent on misconfigured devices to:
- Copy its running configuration to a file, typically named
config.bkporoutput.txt[3] - Transfer that file via Trivial File Transfer Protocol (TFTP) to an actor-controlled leased VPS or compromised FTP server [3]
The exfiltrated configuration files contain everything a defender would want to keep private: credentials, routing tables, access control lists, VPN configurations, and SNMP community strings that enable further lateral movement.
Beyond SNMP exploitation, the FSB actors have also exploited known vulnerabilities in Cisco devices, including Cisco's Smart Install (SMI) functionality and web-based management portals [3].
Exploited Vulnerabilities
The joint advisory on FSB Center 16 activity identifies two specific CVEs that actors have exploited [3]:
CVE-2018-0171: A critical vulnerability (CVSS 9.8) in Cisco's Smart Install feature that allows remote code execution via buffer overflow. Smart Install was designed for zero-touch deployment of Cisco switches but has been widely abused due to the number of devices that leave this service exposed to the internet with no authentication on TCP port 4786. Cisco has published guidance on disabling Smart Install, but adoption remains inconsistent.
CVE-2008-4128: A Cross-Site Request Forgery (CSRF) vulnerability (CVSS 4.3, Medium) in the HTTP Administration interface of Cisco IOS 12.4 on 871 Integrated Services Routers (CWE-352). Exploitation requires an authenticated administrator to interact with attacker-controlled content (such as visiting a malicious web page while logged into the device's management interface), enabling arbitrary command execution. The continued exploitation of a vulnerability disclosed in 2008 speaks to the state of patching across network infrastructure; CISA added this CVE to the KEV catalog on July 13, 2026.
CVE-2023-50224: The vulnerability exploited in TP-Link WR841N routers in the GRU DNS hijacking campaign. This vulnerability enables an unauthenticated attacker to obtain credentials via specially crafted HTTP GET requests [2]. The IC3 PSA explicitly identifies this CVE as the exploitation vector for the TP-Link campaign.
Operation Masquerade: The FBI's Response
The FBI's technical countermeasures, authorized by court order in the Eastern District of Pennsylvania, involved sending commands directly to compromised U.S.-based TP-Link routers [1]. These commands:
- Collected evidence from compromised devices
- Reset DNS settings to legitimate values
- Forced routers to obtain DNS resolver addresses from their ISPs via normal DHCP processes
- Blocked the GRU's original unauthorized access mechanism [1]
This follows the same legal and operational model the FBI used in the January 2024 disruption of the Volt Typhoon KV Botnet and the February 2024 takedown of APT28's Ubiquiti EdgeRouter botnet. Court-authorized remote remediation of compromised infrastructure has become a standard tool in the FBI's counter-APT playbook.
MITRE ATT&CK Mapping
The following techniques are directly referenced in or derived from the source advisories [1][2][3]:
| Technique ID | Name | Context |
|---|---|---|
| T1595.001 | Active Scanning: Scanning IP Blocks | FSB Center 16 scans for SNMP-enabled devices [3] |
| T1595.002 | Active Scanning: Vulnerability Scanning | Scanning for exploitable SNMP configurations [3] |
| T1190 | Exploit Public-Facing Application | Exploitation of CVE-2018-0171, CVE-2008-4128, CVE-2023-50224 [1][2][3] |
| T1602.001 | Data from Configuration Repository: SNMP (MIB Dump) | Extraction of device configurations via SNMP [3] |
| T1602.002 | Data from Configuration Repository: Network Device Configuration Dump | Config files copied as config.bkp or output.txt [3] |
| T1583.003 | Acquire Infrastructure: Virtual Private Server | Actor-controlled VPS used for TFTP exfiltration and malicious DNS servers [2][3] |
| T1090 | Proxy | Scans run through proxy infrastructure; compromised routers used as proxies [3] |
| T1071 | Application Layer Protocol | TFTP used for configuration exfiltration [3] |
| T1048 | Exfiltration Over Alternative Protocol | TFTP-based exfiltration to actor-controlled servers [3] |
| T1584.008 | Compromise Infrastructure: Network Devices | Compromised routers and networking devices [1][2][3] |
| T1588.006 | Obtain Capabilities: Vulnerabilities | Use of known CVEs for initial access [2][3] |
| T1552.001 | Unsecured Credentials: Credentials In Files | Extraction of credentials from device configuration files [3] |
| T1557 | Adversary-in-the-Middle | DNS hijacking enabling AitM credential theft [1][2] |
Detection and Hunting
DNS Configuration Monitoring: The most direct detection for the GRU campaign is monitoring router DNS settings. Any TP-Link router (particularly the TL-WR841N) whose DNS configuration has changed without an authorized change ticket warrants immediate investigation. Automate DNS setting verification across all managed SOHO devices.
SNMP Traffic Analysis: For the FSB campaign, hunt for unexpected SNMP Set-Request traffic, particularly from external IP addresses. SNMP should not be accessible from the WAN on any production device. Alert on any SNMP traffic originating outside trusted management subnets.
index=firewall dest_port=161 OR dest_port=162 NOT src_ip IN (trusted_mgmt_subnet) | stats count by src_ip dest_ip
TFTP Exfiltration: Monitor for outbound TFTP connections (UDP port 69) from network devices. TFTP transfers from routers or switches to external IPs are abnormal in most environments and should generate high-confidence alerts.
index=netflow dest_port=69 src_ip IN (network_device_range) NOT dest_ip IN (internal_ranges) | table _time src_ip dest_ip bytes
Configuration File Artifacts: Look for files named config.bkp or output.txt on network devices or in TFTP server logs. These filenames are directly associated with FSB Center 16 operational patterns [3].
Cisco Smart Install: Scan your environment for devices with Smart Install enabled (TCP port 4786). Cisco's own scanning tool can identify exposed SMI services. Any device still running SMI facing the internet is an active liability.
OWA and Email Service DNS Records: For organizations running on-premises Outlook Web Access, monitor for DNS resolution anomalies where OWA domains resolve to unexpected IP addresses. Compare DNS resolution results from internal resolvers against known-good records.
Analysis
These two campaigns, one by the GRU and one by the FSB, represent complementary approaches to the same strategic objective: building globally distributed proxy and interception infrastructure from compromised networking equipment. The GRU's DNS hijacking campaign is more targeted in its exploitation phase, focusing on credential theft and email interception. The FSB's SNMP campaign is broader, focused on building access to networking infrastructure that can be used for multiple purposes including traffic interception, lateral movement, and persistent access to critical infrastructure networks.
The exploitation of CVE-2008-4128, a CSRF vulnerability disclosed 18 years ago, should concern every network operator. It confirms what most defenders already suspect: network infrastructure patching lags years or decades behind endpoint patching. Routers and switches are deployed, configured, and forgotten. They run firmware versions from the era when they were installed, and they rarely receive the same security scrutiny as servers or workstations.
The DOJ's explicit mention that GRU targeting was initially "indiscriminate" before applying automated filtering [1] is operationally significant. APT28 compromised routers in bulk and then sorted through the results for intelligence value. Organizations that do not consider themselves high-value targets are still at risk of becoming infrastructure for campaigns against those who are.
Red Sheep Assessment
Confidence: High
The convergence of GRU and FSB router exploitation campaigns, combined with the advisory's own acknowledgment that Salt Typhoon uses overlapping TTPs [3], points to a conclusion the advisories do not state directly: SOHO and enterprise router infrastructure likely represents a systemic intelligence collection platform for multiple state actors simultaneously. The same compromised Cisco router could be serving Russian, Chinese, or other state interests, and the victim organization would have no way to distinguish between them based on the exploitation method alone.
The FBI's repeated use of court-authorized remote remediation (Volt Typhoon's KV Botnet, APT28's EdgeRouter network, and now Operation Masquerade) has established a new operational norm. The U.S. government is now routinely accessing privately owned infrastructure to clean up state-sponsored compromises. This is effective in the short term, but it creates a dependency: router owners are not being forced to improve their security posture, because the FBI will clean up after them. The underlying vulnerabilities (default credentials, exposed management interfaces, and unpatched firmware) persist.
The 16-nation coalition co-sealing the advisory is assessed to be among the largest joint attributions for a single APT28 campaign, reflecting both the geographic scope of the targeting and a political decision to present a unified front. The inclusion of Ukraine among the signatories is notable but unsurprising given APT28's sustained targeting of Ukrainian government and military infrastructure.
We assess that router manufacturers, TP-Link in particular, likely face growing regulatory and reputational pressure. Reporting indicates the U.S. government has been scrutinizing TP-Link's security practices, and the FCC's March 2026 ban on imports of new foreign-manufactured routers combined with the scale of this campaign may accelerate any pending decisions about restricting TP-Link equipment in government networks.
Defender's Checklist
- ▢[ ] Audit all SOHO router DNS settings across your environment, particularly TP-Link TL-WR841N devices. Compare current DNS configurations against known-good baselines. Cross-reference against IOCs published in the NCSC advisory. Automated scanning with tools like Nmap or custom scripts can identify altered DNS settings at scale.
- ▢[ ] Check for CVE-2023-50224 on TP-Link WR841N routers. This is the specific vulnerability APT28 used for initial credential theft. Update firmware or replace end-of-life devices.
- ▢[ ] Disable SNMP on all network devices where it is not operationally required. Where SNMP is necessary, change default community strings, restrict SNMP access to trusted management subnets via ACLs, and upgrade to SNMPv3 with authentication and encryption. Verify with:
snmpwalk -v2c -c public <device_ip>(this should fail).
- ▢[ ] Disable Cisco Smart Install on all switches and routers using
no vstackin global configuration mode. Scan for exposed SMI services:nmap -p 4786 <network_range>. Patch any devices vulnerable to CVE-2018-0171.
- ▢[ ] Block SNMP (UDP 161/162) and TFTP (UDP 69) at the WAN edge for all network devices. These protocols should never be accessible from the internet. Review firewall rules to confirm no exceptions exist.
- ▢[ ] Implement DNS response monitoring for critical services, especially OWA and other authentication portals. Set up automated checks that compare DNS resolution results against known-good records and alert on any deviation.
- ▢[ ] Audit Cisco IOS 12.4 devices for CVE-2008-4128. Disable the HTTP server feature if not required (
no ip http server), or restrict web management access to trusted networks via ACLs. Review configurations for unauthorizedalias execcommands or unexpected privilege changes.
References
[1] https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-dns-hijacking-network-controlled
[2] https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
[3] https://www.ic3.gov/CSA/2026/260713.pdf
Event Timeline
Timeline
Entity Relationships
Entity Graph (20 entities, 51 relationships)
Diamond Model
Diamond Model
Hunt Guide: APT28 SOHO Router DNS Hijacking Campaign (FrostArmada / Operation Masquerade)
Attribution: Detection logic below credits its original author. Rules adapted, ported, or quoted from a public source retain that source's author (e.g. SigmaHQ / Florian Roth, Elastic, Emerging Threats, Abuse.ch, or the cited vendor/researcher). Only rules explicitly marked RedSheep Security/Stone (original) were authored in-house. If you reuse a rule, preserve its stated attribution.
Hypothesis: If APT28 (GRU Unit 26165) has compromised SOHO routers in our environment or the home networks of remote workers, we expect to observe unauthorized DNS resolver changes on TP-Link and Ubiquiti EdgeRouter devices, anomalous DNS query patterns to unknown resolvers, exploitation attempts against CVE-2023-50224 on WAN-exposed management interfaces, MooBot botnet artifacts on EdgeRouter devices, and unusual Microsoft 365/OWA authentication patterns indicative of adversary-in-the-middle credential interception.
Intelligence Summary: APT28 (Fancy Bear / Forest Blizzard), operating under Russia's GRU 85th GTsSS (Military Unit 26165), has been systematically compromising TP-Link SOHO routers via CVE-2023-50224 and Ubiquiti EdgeRouters via default credentials to alter DNS configurations, redirecting victim traffic through GRU-controlled resolvers for credential harvesting and adversary-in-the-middle attacks targeting Microsoft OWA and authentication flows. Microsoft Threat Intelligence reports over 200 organizations and 5,000+ consumer devices affected, while Lumen's Black Lotus Labs detected over 18,000 unique IPs from 120+ countries communicating with Forest Blizzard infrastructure at peak activity in December 2025. The campaign specifically targets governments, militaries, defense contractors, and critical infrastructure organizations across NATO member states.
Confidence: High | Priority: Critical
Scope
- Networks: All network segments containing or connected to SOHO routers (TP-Link and Ubiquiti EdgeRouter devices), VPN concentrators serving remote workers, DMZ/perimeter network segments, and all endpoints behind potentially compromised routers. Include branch office networks, remote worker home networks (to the extent possible via VPN telemetry), and any network segment with consumer-grade routing equipment.
- Timeframe: 90-day lookback minimum (August 2025 through present) for the TP-Link DNS hijacking campaign (FrostArmada). Extend to 180 days (back to October 2024) if EdgeRouter devices are in the environment, given the earlier MooBot/EdgeRouter campaign. Focus highest-intensity analysis on the last 30 days.
- Priority Systems: 1) All TP-Link TL-WR841N and related EOL TP-Link router models. 2) All Ubiquiti EdgeRouter devices, especially those with default credentials. 3) Microsoft 365/OWA authentication infrastructure and Azure AD tenant. 4) DNS infrastructure (internal resolvers, DHCP servers assigning DNS). 5) VPN endpoints connecting remote workers. 6) Any SOHO router with WAN-exposed management interfaces (ports 22, 80, 443).
MITRE ATT&CK Techniques
T1190 — Exploit Public-Facing Application (Initial Access) [P1]
APT28 exploits CVE-2023-50224 in TP-Link TL-WR841N router httpd service (TCP/80) to extract stored credentials via specially crafted HTTP GET requests. While the CVE has an Adjacent attack vector, WAN-exposed management interfaces make it remotely exploitable at scale.
Splunk SPL:
index=firewall OR index=ids OR index=proxy dest_port=80 http_method=GET uri_path="*tp_link*" OR uri_path="*userRpm*" OR uri_path="*login*" OR uri_path="*cgi*"
| eval is_soho_target=if(match(dest_ip, "^(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.).*") OR match(dest_ip, "(?i)tp-?link"), 1, 0)
| search is_soho_target=1 OR dest_port=80
| stats count dc(src_ip) as unique_sources values(uri_path) as paths by dest_ip dest_port
| where count > 10
| sort -count
Elastic KQL:
(destination.port:80 AND http.request.method:"GET" AND (url.path:*userRpm* OR url.path:*login* OR url.path:*cgi-bin* OR url.path:*tp_link*)) OR (event.category:"intrusion_detection" AND vulnerability.id:"CVE-2023-50224")
Sigma Rule:
title: CVE-2023-50224 TP-Link Router Exploitation Attempt
id: 8f3a1c2d-4e5b-6789-abcd-ef0123456789
status: experimental
description: Detects HTTP GET requests targeting TP-Link router management interfaces consistent with CVE-2023-50224 credential extraction
author: RedSheep Security/Stone
date: 2026/04/07
references:
- https://nvd.nist.gov/vuln/detail/CVE-2023-50224
- https://www.ic3.gov/PSA/2026/PSA260407
logsource:
category: proxy
product: firewall
detection:
selection:
c-uri|contains:
- '/userRpm/'
- '/cgi-bin/luci'
- '/webpages/login.html'
cs-method: 'GET'
dst_port: 80
condition: selection
falsepositives:
- Legitimate TP-Link router administration from authorized management stations
- Network scanning tools used by IT staff
level: high
tags:
- attack.initial_access
- attack.t1190
- cve.2023.50224
Attribution: RedSheep Security/Stone (original)
Tune by excluding known IT management workstations and authorized vulnerability scanners. Focus on traffic from external/WAN sources hitting management interfaces. High false positive potential from legitimate router administration; correlate with subsequent DNS configuration changes.
T1078.001 — Valid Accounts: Default Accounts (Initial Access) [P1]
APT28 exploited factory-default credentials (ubnt/ubnt) on Ubiquiti EdgeRouters in the 2024 campaign. Many deployed units had never had credentials changed. GRU operators accessed routers already compromised by the MooBot botnet.
Splunk SPL:
index=firewall OR index=network sourcetype=sshd OR sourcetype=ssh
(dest_port=22 AND (user="ubnt" OR user="admin" OR user="root"))
| stats count dc(src_ip) as unique_sources first(_time) as first_seen last(_time) as last_seen by dest_ip user src_ip
| where count > 3
| sort -count
| table dest_ip user src_ip count first_seen last_seen
Elastic KQL:
(destination.port:22 AND (user.name:"ubnt" OR user.name:"admin" OR user.name:"root") AND event.category:"authentication") OR (process.name:"sshd" AND user.name:"ubnt")
Sigma Rule:
title: SSH Login With Default Ubiquiti EdgeRouter Credentials
id: 9a4b2d3e-5f6c-7890-bcde-f12345678901
status: experimental
description: Detects SSH authentication attempts using default Ubiquiti EdgeRouter credentials (ubnt), which APT28 exploited in their 2024 router compromise campaign
author: RedSheep Security/Stone
date: 2026/04/07
references:
- https://www.ic3.gov/PSA/2026/PSA260407
logsource:
category: authentication
product: linux
detection:
selection:
user:
- 'ubnt'
dst_port: 22
condition: selection
falsepositives:
- Legitimate Ubiquiti device administration using default credentials (which itself is a security finding)
level: critical
tags:
- attack.initial_access
- attack.t1078.001
Attribution: RedSheep Security/Stone (original)
Any successful authentication using 'ubnt' credentials should be treated as critical. Even failed attempts indicate an attacker probing for default-credential devices. Cross-reference dest_ip against your SOHO router inventory.
T1584.008 — Compromise Infrastructure: Network Devices (Resource Development) [P2]
APT28 compromises TP-Link and Ubiquiti EdgeRouter SOHO devices to use as operational infrastructure for DNS hijacking, proxy networks, and credential interception. Compromised routers serve as transparent proxies between victims and GRU-controlled servers.
Splunk SPL:
index=firewall OR index=netflow src_ip IN [your_soho_router_inventory]
| where dest_port NOT IN (53, 80, 443, 123)
| stats count dc(dest_ip) as unique_destinations values(dest_port) as ports by src_ip
| where unique_destinations > 20 OR count > 500
| sort -unique_destinations
| table src_ip unique_destinations count ports
Elastic KQL:
source.ip:("192.168.1.1" OR "192.168.0.1") AND NOT destination.port:(53 OR 80 OR 443 OR 123) AND event.category:"network"
Sigma Rule:
title: SOHO Router Unexpected Outbound Connections
id: ab5c3e4f-6a7b-8901-cdef-234567890123
status: experimental
description: Detects SOHO router devices making unexpected outbound connections to non-standard destinations, potentially indicating compromise by APT28 or similar actor for use as operational infrastructure
author: RedSheep Security/Stone
date: 2026/04/07
references:
- https://www.ic3.gov/PSA/2026/PSA260407
- https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
logsource:
category: firewall
detection:
selection:
src_ip|cidr:
- '192.168.0.0/16'
- '10.0.0.0/8'
dst_port|gt: 1024
filter:
dst_port:
- 53
- 80
- 443
- 123
- 8080
condition: selection and not filter
falsepositives:
- Legitimate router firmware update services
- Router cloud management services (Ubiquiti UniFi, TP-Link Cloud)
level: medium
tags:
- attack.resource_development
- attack.t1584.008
Attribution: RedSheep Security/Stone (original)
Requires an inventory of SOHO router management IPs. Filter out legitimate update servers and cloud management endpoints. Unexpected SSH (22) or high-port connections from routers are highest priority.
T1583.002 — Acquire Infrastructure: DNS Server (Resource Development) [P1]
APT28 configures VPS infrastructure as malicious DNS resolvers to receive redirected DNS queries from compromised routers. All devices behind a compromised router inherit the poisoned DNS configuration, sending queries through GRU-controlled infrastructure.
Splunk SPL:
index=network sourcetype=dns OR sourcetype=stream:dns
| stats dc(query) as query_count values(query) as queries by src_ip dest_ip
| where dest_ip NOT IN ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1", "208.67.222.222", "208.67.220.220", "9.9.9.9")
| lookup dnsinventory dest_ip as authorized_resolver OUTPUT authorized
| where isnull(authorized)
| sort -query_count
| table src_ip dest_ip query_count queries
Elastic KQL:
dns.resolved_ip:* AND NOT dns.server.ip:("8.8.8.8" OR "8.8.4.4" OR "1.1.1.1" OR "1.0.0.1" OR "208.67.222.222" OR "208.67.220.220" OR "9.9.9.9") AND event.category:"network"
Sigma Rule:
title: DNS Queries to Unauthorized Resolver - Potential Router DNS Hijack
id: bc6d4f50-7b8c-9012-def0-345678901234
status: experimental
description: Detects DNS queries being sent to DNS resolvers not in the organization's authorized list, which may indicate router-level DNS hijacking as used by APT28 in the FrostArmada campaign
author: RedSheep Security/Stone
date: 2026/04/07
references:
- https://www.ic3.gov/PSA/2026/PSA260407
- https://www.lumen.com/blog-and-news/en-us/frostarmada-forest-blizzard-dns-hijacking
logsource:
category: dns
detection:
selection:
dst_port: 53
filter_authorized:
dst_ip:
- '8.8.8.8'
- '8.8.4.4'
- '1.1.1.1'
- '1.0.0.1'
- '208.67.222.222'
- '208.67.220.220'
- '9.9.9.9'
condition: selection and not filter_authorized
falsepositives:
- Organizations using internal DNS resolvers not listed in the filter
- ISP-provided DNS servers
level: high
tags:
- attack.resource_development
- attack.t1583.002
Attribution: RedSheep Security/Stone (original)
CRITICAL: Customize filter_authorized with your organization's legitimate DNS resolvers, including internal DNS servers, ISP resolvers, and approved third-party resolvers. Without customization, this rule will generate significant false positives. Cross-reference any unknown resolvers against NCSC-UK and Lumen FrostArmada IOC lists.
T1557 — Adversary-in-the-Middle (Credential Access) [P1]
Using DNS hijacking to position GRU infrastructure between victims and legitimate services (particularly Microsoft OWA/M365), APT28 presents spoofed TLS certificates to intercept authentication flows, capturing passwords and authentication tokens when users dismiss certificate warnings.
Splunk SPL:
index=o365 OR index=azure sourcetype="ms:o365:management" OR sourcetype="azure:aad:signin"
| eval geo_pair=src_ip."-".user
| stats dc(src_ip) as unique_ips dc(City) as unique_cities values(src_ip) as source_ips values(City) as cities values(Country) as countries by user
| where unique_ips > 3 OR unique_cities > 2
| sort -unique_ips
| table user unique_ips unique_cities source_ips cities countries
Elastic KQL:
event.dataset:"o365.audit" AND event.action:"UserLoggedIn" AND o365.audit.ExtendedProperties.RequestType:"Login" | (azure.signinlogs.properties.status.errorCode:0 AND azure.signinlogs.properties.riskState:"atRisk")
Sigma Rule:
title: Microsoft 365 Authentication From Multiple Geographies - Potential AitM
id: cd7e5061-8c9d-0123-ef01-456789012345
status: experimental
description: Detects Microsoft 365 authentication events from multiple geographic locations for the same user within a short timeframe, potentially indicating adversary-in-the-middle credential interception via DNS hijacking as used by APT28
author: RedSheep Security/Stone
date: 2026/04/07
references:
- https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/
logsource:
product: m365
service: audit
detection:
selection:
Operation: 'UserLoggedIn'
ResultStatus: 'Succeeded'
condition: selection
falsepositives:
- Legitimate VPN use causing geographic disparity
- Travel
- Cloud proxy services
level: medium
tags:
- attack.credential_access
- attack.t1557
Attribution: RedSheep Security/Stone (original)
Requires Microsoft 365 Unified Audit Log or Azure AD Sign-in Logs. Correlate with impossible travel detection. Focus on OWA authentication events specifically. Users who dismissed TLS certificate warnings are highest-risk targets. Aggregate by user and look for concurrent sessions from disparate locations within 30-minute windows.
T1584.005 — Compromise Infrastructure: Botnet (Resource Development) [P1]
In the 2024 EdgeRouter campaign, APT28 repurposed Ubiquiti EdgeRouters already infected by the MooBot botnet (Mirai-derived), taking control of criminal botnet infrastructure for state-sponsored operations, creating attribution ambiguity between criminal and state-sponsored activity.
Splunk SPL:
index=ids OR index=firewall OR index=network
(signature="*mirai*" OR signature="*moobot*" OR signature="*botnet*")
OR (dest_port IN (37215, 52869, 23, 2323, 7547, 5555) AND action="allowed")
OR (dns_query="packinstall.kozow.com")
| stats count values(signature) as signatures values(dest_port) as ports by src_ip dest_ip
| sort -count
| table src_ip dest_ip signatures ports count
Elastic KQL:
(suricata.eve.alert.signature:*mirai* OR suricata.eve.alert.signature:*moobot*) OR dns.question.name:"packinstall.kozow.com" OR (destination.port:(37215 OR 52869 OR 2323 OR 7547) AND event.category:"network")
Sigma Rule:
title: MooBot Botnet DNS Communication Indicator
id: de8f6172-9dae-1234-f012-567890123456
status: experimental
description: Detects DNS queries to known MooBot botnet C2 domain packinstall.kozow.com, associated with APT28's repurposing of criminal botnet infrastructure on Ubiquiti EdgeRouters
author: RedSheep Security/Stone
date: 2026/04/07
references:
- https://www.ic3.gov/PSA/2026/PSA260407
logsource:
category: dns
detection:
selection:
query|contains:
- 'packinstall.kozow.com'
- 'kozow.com'
condition: selection
falsepositives:
- None expected - this domain is associated with malicious botnet activity
level: critical
tags:
- attack.resource_development
- attack.t1584.005
Attribution: RedSheep Security/Stone (original)
Any hit on packinstall.kozow.com should be treated as confirmed compromise. Investigate the source device immediately for MooBot artifacts: check /usr/lib/libu.a/, trojanized OpenSSH binaries (banner SSH-2.0-OpenSSH_6.7p2), unusual cron jobs, and modified /etc/init.d/ scripts.
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| domain | packinstall.kozow.com |
MooBot botnet C2 domain used in APT28's Ubiquiti EdgeRouter compromise campaign; routers communicating with this domain may be MooBot-infected and potentially repurposed by GRU operators |
| domain | kozow.com |
Parent domain associated with MooBot botnet infrastructure; subdomains used for C2 communications with compromised EdgeRouter devices |
| cve | CVE-2023-50224 |
Improper authentication/credential disclosure vulnerability in TP-Link TL-WR841N httpd service (TCP/80), CVSS 6.5. Exploited by APT28 for initial router access via specially crafted HTTP GET requests to extract stored credentials. No patch for EOL models. |
IOC Sweep Queries (Splunk):
index=dns OR index=proxy OR index=firewall (query="*packinstall.kozow.com*" OR url="*packinstall.kozow.com*" OR dest="*packinstall.kozow.com*" OR dns_query="*packinstall.kozow.com*")
| stats count first(_time) as first_seen last(_time) as last_seen values(src_ip) as sources by query
| table query sources count first_seen last_seen
index=dns OR index=proxy OR index=firewall (query="*kozow.com*" OR url="*kozow.com*" OR dest="*kozow.com*" OR dns_query="*kozow.com*")
| stats count first(_time) as first_seen last(_time) as last_seen values(src_ip) as sources by query
| table query sources count first_seen last_seen
index=vuln_scan OR index=ids (cve="CVE-2023-50224" OR signature="*CVE-2023-50224*" OR vulnerability_id="CVE-2023-50224")
| stats count values(dest_ip) as affected_hosts by cve signature
| table cve affected_hosts count
YARA Rules
APT28_MooBot_EdgeRouter_Artifacts — Detects MooBot botnet artifacts associated with APT28's repurposing of compromised Ubiquiti EdgeRouters, including trojanized OpenSSH binaries and known staging directories
rule APT28_MooBot_EdgeRouter_Artifacts
{
meta:
author = "RedSheep Security/Stone"
description = "Detects MooBot botnet artifacts on Ubiquiti EdgeRouters associated with APT28 GRU operations"
reference = "https://www.ic3.gov/PSA/2026/PSA260407"
date = "2026-04-07"
threat_actor = "APT28"
severity = "critical"
strings:
$ssh_banner = "SSH-2.0-OpenSSH_6.7p2" ascii
$moobot_dir = "/usr/lib/libu.a/" ascii
$moobot_c2 = "packinstall.kozow.com" ascii
$kozow = "kozow.com" ascii
$mirai_str1 = "/bin/busybox" ascii
$mirai_str2 = "LZRD" ascii
$mirai_str3 = "MOOBOT" ascii nocase
$init_mod = "/etc/init.d/" ascii
$tmp_bin = { 2F 74 6D 70 2F 2E [1-20] }
$var_run = { 2F 76 61 72 2F 72 75 6E 2F 2E [1-20] }
$ubnt_default = "ubnt" ascii
condition:
($ssh_banner and $ubnt_default) or
($moobot_c2 or $kozow) or
($moobot_dir and any of ($mirai_str*)) or
(2 of ($mirai_str*) and ($tmp_bin or $var_run)) or
($ssh_banner and $moobot_dir)
}
Attribution: RedSheep Security/Stone (original)
APT28_DNS_Hijack_Router_Config — Detects TP-Link and Ubiquiti router configuration files that have been modified to include suspicious DNS resolver settings, potentially indicating APT28 DNS hijacking
rule APT28_DNS_Hijack_Router_Config
{
meta:
author = "RedSheep Security/Stone"
description = "Detects router configuration files potentially modified by APT28 for DNS hijacking - flags non-standard DNS resolver entries in TP-Link and EdgeRouter configs"
reference = "https://www.ic3.gov/PSA/2026/PSA260407"
date = "2026-04-07"
severity = "high"
strings:
$tplink_dns1 = "wan_dns1_dynamic" ascii
$tplink_dns2 = "wan_dns2_dynamic" ascii
$tplink_cfg = "TP-LINK" ascii nocase
$edge_dns = "name-server" ascii
$edge_cfg = "ubnt" ascii
$dnsmasq = "server=" ascii
$resolv = "nameserver" ascii
$exclude_google1 = "8.8.8.8" ascii
$exclude_google2 = "8.8.4.4" ascii
$exclude_cf1 = "1.1.1.1" ascii
$exclude_cf2 = "1.0.0.1" ascii
condition:
filesize < 1MB and
(
($tplink_cfg and any of ($tplink_dns*)) or
($edge_cfg and $edge_dns) or
($dnsmasq or $resolv)
) and
not all of ($exclude_*)
}
Attribution: RedSheep Security/Stone (original)
Suricata Rules
SID 2026001 — Detects DNS query to MooBot botnet C2 domain packinstall.kozow.com associated with APT28 EdgeRouter operations
alert dns $HOME_NET any -> any 53 (msg:"APT28 MooBot C2 - packinstall.kozow.com DNS Query"; dns.query; content:"packinstall.kozow.com"; nocase; classtype:trojan-activity; sid:2026001; rev:1; metadata:created_at 2026_04_07, updated_at 2026_04_07;)
Attribution: RedSheep Security/Stone (original)
SID 2026002 — Detects DNS query to kozow.com parent domain associated with MooBot botnet infrastructure used by APT28
alert dns $HOME_NET any -> any 53 (msg:"APT28 MooBot Infrastructure - kozow.com DNS Query"; dns.query; content:"kozow.com"; nocase; classtype:trojan-activity; sid:2026002; rev:1; metadata:created_at 2026_04_07, updated_at 2026_04_07;)
Attribution: RedSheep Security/Stone (original)
SID 2026003 — Detects potential CVE-2023-50224 exploitation attempt against TP-Link TL-WR841N router management interface via HTTP GET credential extraction
alert http $EXTERNAL_NET any -> $HOME_NET 80 (msg:"APT28 CVE-2023-50224 TP-Link Router Credential Extraction Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/"; fast_pattern; classtype:web-application-attack; sid:2026003; rev:1; metadata:created_at 2026_04_07, updated_at 2026_04_07, cve CVE_2023_50224;)
Attribution: RedSheep Security/Stone (original)
SID 2026004 — Detects trojanized OpenSSH banner (SSH-2.0-OpenSSH_6.7p2) associated with MooBot-infected EdgeRouters repurposed by APT28
alert ssh any any -> $HOME_NET 22 (msg:"APT28 MooBot Trojanized SSH Banner - OpenSSH_6.7p2"; flow:established; ssh.software_version; content:"OpenSSH_6.7p2"; classtype:trojan-activity; sid:2026004; rev:1; metadata:created_at 2026_04_07, updated_at 2026_04_07;)
Attribution: RedSheep Security/Stone (original)
SID 2026005 — Detects SSH login attempt using default Ubiquiti EdgeRouter credentials (ubnt) from external network, associated with APT28 initial access technique
alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"APT28 Default Ubiquiti Credential SSH Attempt"; flow:to_server,established; content:"ubnt"; classtype:attempted-admin; sid:2026005; rev:1; metadata:created_at 2026_04_07, updated_at 2026_04_07;)
Attribution: RedSheep Security/Stone (original)
SID 2026006 — Detects HTTP requests to TP-Link router login pages from external networks, indicating WAN-exposed management interfaces targeted by APT28
alert http $EXTERNAL_NET any -> $HOME_NET 80 (msg:"TP-Link Router WAN Management Access Attempt"; flow:to_server,established; http.uri; content:"/webpages/login.html"; classtype:attempted-recon; sid:2026006; rev:1; metadata:created_at 2026_04_07, updated_at 2026_04_07;)
Attribution: RedSheep Security/Stone (original)
Data Source Requirements
| Source | Required For | Notes |
|---|---|---|
| Firewall Logs | T1190, T1078.001, T1584.008, T1584.005 | Must include source/destination IP, port, protocol, and action. Critical for detecting WAN-exposed management interfaces and unauthorized outbound connections from SOHO devices. |
| DNS Logs (Passive DNS / DNS Query Logs) | T1583.002, T1557, T1584.005 | Must capture DNS query source IP, destination resolver IP, queried domain, and response. Essential for detecting unauthorized DNS resolvers and poisoned DNS configurations. Deploy DNS logging on internal resolvers and capture all port 53 traffic. |
| Network Flow Data (NetFlow/IPFIX) | T1584.008, T1190, T1583.002 | Flow data from border routers and switches to identify SOHO devices making unexpected outbound connections. Capture src/dst IP, port, byte count, and duration. |
| IDS/IPS Logs (Suricata/Snort) | T1190, T1584.005, T1557 | Deploy Suricata rules from this report. Ensure IDS/IPS is inspecting traffic to/from SOHO router management interfaces and monitoring for Mirai/MooBot signatures. |
| Microsoft 365 Unified Audit Log | T1557 | Must have E3/E5 licensing for full audit log capability. Capture UserLoggedIn events with source IP, geographic location, user agent, and authentication method. Enable Azure AD Sign-in Logs for impossible travel and risky sign-in detection. |
| Azure AD Sign-in Logs | T1557 | Captures authentication events with risk scores, conditional access evaluation, and geographic metadata. Critical for detecting AitM credential interception from DNS-hijacked networks. |
| Proxy / Web Gateway Logs | T1190, T1557 | Must log full URL, HTTP method, TLS certificate information (including certificate errors/warnings), and source/destination IP. |
| DHCP Logs | T1583.002, T1584.008 | Captures DNS server assignments pushed to clients. Changes in DHCP-assigned DNS servers may indicate router-level DNS hijacking. |
| Router Configuration Backups / SNMP | T1583.002, T1584.008 | Periodic router configuration backups (RANCID, Oxidized, or manual) enable detection of unauthorized DNS configuration changes. SNMP traps for configuration changes are also valuable. |
| SSH Authentication Logs | T1078.001, T1584.005 | Syslog from Linux-based network devices (EdgeRouters). Capture authentication success/failure, username, source IP, and SSH client banner. |
| Vulnerability Scanner Output | T1190 | Regular vulnerability scanning of network infrastructure to identify devices affected by CVE-2023-50224 and other router vulnerabilities. Include SOHO/edge devices in scan scope. |
Mitigations & Recommendations
Curated baseline: APT28 / Fancy Bear; library archetype
The curated playbook covers APT28's Outlook/Exchange, Print Spooler, Roundcube, legacy auth, and cloud C2 tradecraft well, along with NTLM relay and credential rotation containment. It does not address the current incident's SOHO router compromise vector (TP-Link CVE-2023-50224, Ubiquiti EdgeRouter default creds, MooBot botnet repurposing), DNS hijacking via router-controlled resolvers, or AitM TLS interception of M365/OWA authentication flows via poisoned DNS.
Established mitigations (curated):
- Patch CVE-2023-23397 Outlook, CVE-2022-38028 Print Spooler, all Roundcube CVEs across the fleet.
- Block outbound NTLM authentication at perimeter (Group Policy: NTLM traffic to remote servers).
- Rotate NTLM-exposed user passwords; force MFA re-enrollment.
- Disable Print Spooler on DCs and servers that don't need it.
- Block legacy auth tenant-wide via CA policy.
- Block known APT28 C2 and exfil infrastructure (CISA / Mandiant IOCs).
Established detection guidance (curated):
- CVE-2023-23397 Outlook NTLM relay hunt: outbound NTLM auth attempts to non-corporate SMB endpoints.
- GooseEgg / CVE-2022-38028 Print Spooler exploitation hunt.
- APT28 malware hash / name hunt.
- Roundcube / webmail exploitation hunt.
- Password spray against privileged accounts via legacy auth.
- Check for outbound connections to Yahoo / Google Drive / legitimate cloud abuse (APT28 C2 technique).
Net-new from this incident:
- Publish guidance to remote-worker population on replacing/patching end-of-life SOHO routers (specifically TP-Link TL-WR841N) and mandate credential change on any Ubiquiti EdgeRouter still on defaults.
- Treat home-router compromise as an in-scope initial access vector for remote-worker threat models — extend hunt telemetry down to the endpoint's resolver and TLS trust decisions, not just corporate egress.
- Coordinate with FBI Operation Masquerade notifications: if the org receives a victim-notification on a residential IP tied to an employee, trigger immediate credential rotation and session revocation for that user.
- Factory-reset and reflash to latest firmware all TP-Link TL-WR841N and Ubiquiti EdgeRouter devices in the remote-worker / branch inventory; enforce non-default admin credentials before returning to service. (Why: T1190 (CVE-2023-50224) and T1078.001 (ubnt/ubnt defaults) — both require device wipe + credential change to evict.)
- Enforce DNS-over-HTTPS or corporate DoH/DoT resolvers on all managed endpoints so the local router's DNS setting cannot be silently hijacked; block plaintext DNS egress from managed devices. (Why: T1583.002 / T1557 — bypasses router-level DNS poisoning even if the SOHO device is compromised.)
- Add certificate pinning / strict CA validation alerts for M365, OWA, and VPN endpoints; block sessions presenting untrusted issuers. (Why: T1557 — defeats spoofed TLS cert presentation in the AitM chain.)
- Block egress to known GRU DNS-resolver VPS IPs published in the joint FBI/NSA advisory at the corporate perimeter and via managed-endpoint firewall for remote workers. (Why: T1583.002 — malicious VPS resolvers named in the advisory.)
- Detect: Enumerate DNS resolver configuration on all corporate egress paths and remote/WFH endpoints; flag any endpoint using a non-corporate/non-ISP resolver, especially resolvers hosted on VPS ranges. (Why: T1583.002 — APT28 configures VPS DNS resolvers to receive queries from compromised routers; all devices behind the router inherit the poisoned config.)
- Detect: Hunt for TLS certificate anomalies on connections to Microsoft OWA / M365 / login.microsoftonline.com from remote users (unexpected issuers, short-lived certs, cert pinning failures). (Why: T1557 — APT28 uses DNS hijacking to present spoofed TLS certs and intercept M365/OWA authentication flows (AitM).)
- Detect: Inventory remote-worker and branch SOHO routers: identify TP-Link TL-WR841N, other TP-Link SMB models, and Ubiquiti EdgeRouter devices used as VPN/remote-access on-ramps to corporate resources. (Why: T1190 (TP-Link CVE-2023-50224) and T1078.001 (Ubiquiti default ubnt/ubnt creds) — both are entry vectors in this campaign.)
- Detect: Check for prior MooBot / Mirai-variant infection indicators on Ubiquiti EdgeRouters (unexpected listening ports, cron jobs, or beaconing) — APT28 has repurposed already-infected devices. (Why: T1584.005 — APT28 repurposed MooBot-infected EdgeRouters in the 2024 campaign.)
Sources
- FBI/IC3 Public Service Announcement: Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information (April 7, 2026)
- NCSC-UK Advisory: APT28 exploit routers to enable DNS hijacking operations (April 7, 2026)
- NVD: CVE-2023-50224 Detail
- TP-Link Security Advisory for CVE-2023-50224 (FAQ 5058)
- Microsoft Threat Intelligence: SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks (April 7, 2026)
- Lumen Black Lotus Labs: FrostArmada: Forest Blizzard DNS Hijacking (April 2026)