The Invisible Hijack: How FrostArmada Turned 18,000 Routers Into a Global Spy Network

In a sophisticated campaign codenamed FrostArmada, the threat research team at Black Lotus Labs (Lumen Technologies) has uncovered a massive operation by the Russian-linked actor Forest Blizzard. By exploiting the “fundamental internet technology” of DNS, the group turned thousands of everyday home and small-office routers into a global infrastructure for stealing high-value authentication credentials.

Just one day after the U.K. National Cyber Security Centre (NCSC) exposed one of their previous tools, Lumen observed “widespread router exploitation and DNS redirection beginning the next day”.

The FrostArmada campaign focused on compromising edge devices—notably MikroTik and TP-Link routers—to gain remote administrative access. Once inside, the operators modified the router’s default DNS settings to point toward actor-controlled Virtual Private Servers (VPS).

This technique created a nearly invisible attack chain:

• Local Propagation: Through DHCP, the malicious DNS changes were automatically pushed to every workstation on the router’s local network.
• Selective Redirection: The actor-controlled DNS server functioned normally for most requests, but when a user queried a “targeted Fully Qualified Domain Name (FQDN)”—typically associated with authentication services—it provided the IP address of an Attacker-in-the-Middle (AitM) node instead.
• Token Harvesting: This “redirection funneled victims to AitM infrastructure,” where attackers could intercept traffic and exfiltrate “authentication material such as OAuth tokens” even after the victim completed a multifactor challenge.

Lumen’s investigation revealed that Forest Blizzard utilized a dedicated “expansion team” to grow its malicious network. This cluster focused on exploiting new devices via common web interface ports, targeting a wide range of hardware from SOHO routers to “enterprise-grade firewalls like Fortinet”.

At its peak in December 2025, Lumen detected “over 18,000 unique IPs from at least 120 countries communicating with Forest Blizzard’s infrastructure”.

The FrostArmada campaign was far from random. The infrastructure was “exclusively operationalized by the Forest Blizzard threat actor and is used to conduct operations against targeted organizations aligned with that actor’s strategic interests”.

Key targets identified through global telemetry included:

• Government Agencies: Ministries of foreign affairs and national law enforcement in North Africa, Central America, and Southeast Asia.
• National Identity: A connection to a national identity platform in a European country.
• Infrastructure: Third-party IT, hosting providers, and smaller cloud service providers across Europe.

Black Lotus Labs warns that “a DNS setting change on a single router can quietly reroute an entire network’s authentication traffic”. Because this approach required “minimal end-user interaction,” the only sign of an ongoing attack might be a single pop-up warning about an untrusted connection.

Lumen Technologies, in collaboration with Microsoft, the FBI, and the DOJ, has since disrupted this infrastructure and taken it offline. However, the campaign serves as a stark reminder that even well-documented weaknesses in the DNS ecosystem remain “challenging to address on a global scale,” and securing unmanaged edge devices is paramount to protecting enterprise credentials.