Russian Military Hackers Hijack Thousands of Home Routers for Global Espionage
Ddos 
DNS hijacking through router compromise | Image: Microsoft
In a sophisticated campaign uncovered by Microsoft Threat Intelligence, a notorious Russian military-linked threat actor known as Forest Blizzard has been weaponizing the very devices that connect our homes and small offices to the world. Since at least August 2025, this group—and its subgroup Storm-2754—has compromised over 5,000 consumer devices and 200 organizations, turning insecure routers into a global malicious infrastructure.
By hijacking the Domain Name System (DNS) requests of these devices, the Russian military intelligence is able to “hides behind this legitimate but compromised infrastructure to spy on additional targets or conduct follow-on attacks”.
Forest Blizzard’s primary tactic involves compromising small office/home office (SOHO) routers, which are often less monitored and managed than enterprise assets. Once they gain access, the attackers modify the device settings to use “actor-controlled DNS resolvers”.
This creates a “persistent, passive visibility and reconnaissance at scale”. Because most endpoint devices automatically obtain their network settings from these edge routers via DHCP, thousands of unsuspecting users began sending their web requests directly to the attackers’ servers.
The technical execution of this campaign relies on a mix of legitimate tools and deceptive tactics:
- DNS Hijacking: The attackers are almost certainly using dnsmasq, a legitimate utility widely used in home routers, to perform resolution and provide responses while listening for queries.
- Selective AiTM Attacks: In many cases, the DNS requests are transparently proxied, meaning the user reaches the legitimate website without seeing any interruption. However, for high-priority targets, Forest Blizzard spoofs the DNS response to force the victim to connect to a server they control.
- The TLS Trap: Once redirected, the malicious infrastructure presents an invalid TLS certificate. If a user ignores the browser’s certificate warning, the threat actor can “actively intercept the underlying plaintext traffic—potentially including emails and other customer content”.
While the router compromise is broad, the follow-on Adversary-in-the-Middle (AiTM) attacks are highly selective. Microsoft has identified two primary lanes of this high-value collection:
- Microsoft 365 Domains: Attackers targeted domains associated with Microsoft Outlook on the web to intercept cloud-hosted content.
- Government Intelligence: Separate AiTM activity was identified targeting non-Microsoft hosted servers in at least three government organizations in Africa.
As remote and hybrid work becomes the norm, compromised home network infrastructure can “expose cloud access and sensitive data even when enterprise environments and cloud services themselves remain secure”.
Microsoft urges organizations and users to treat SOHO devices as a primary attack surface. Ensuring that routers have updated firmware, non-default credentials, and secure DNS settings is no longer just a home maintenance task—it is a matter of national and corporate security.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
