Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 19, 2026 | 12:20 UTC
4110 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

APT28 Conducts Malwareless Espionage by Modifying DNS Settings on Vulnerable SOHO Routers

Thirumala Rao Padilam Thirumala Rao Padilam April 9, 2026
APT28 Conducts Malwareless Espionage by Modifying DNS Settings on Vulnerable SOHO Routers

Russia’s APT28 group is engaging in covert espionage operations by manipulating DNS settings on vulnerable SOHO routers. This method avoids deploying malware files, enabling undetected surveillance of global organizations through network infrastructure compromises.

What happened

Security researchers have identified that APT28, a Russian advanced persistent threat group, is conducting espionage without traditional malware. Instead of installing malware binaries, the group modifies a single DNS setting on vulnerable small office/home office routers. This alteration allows the threat actors to intercept or redirect network traffic, facilitating spy activities against targeted organizations worldwide.

This technique represents a shift away from typical malware-based attacks towards what researchers term 'malwareless cyber espionage.' The precise routers affected and the scope of the campaign were not detailed in the source.

Why it matters

This approach by APT28 demonstrates a sophisticated evasion technique that undermines standard malware detection and endpoint security solutions. By avoiding files entirely, traditional defenses that rely on identifying malicious code may be ineffective.

Modifying DNS settings at the router level can compromise all traffic passing through the device, potentially exposing sensitive communications from multiple devices inside an organization’s network. This method highlights the critical role of securing network infrastructure components, which are often overlooked compared to individual endpoints.

What security teams should do

Security teams should review the DNS configurations on all SOHO routers within their environments to detect unauthorized changes. It is important to ensure that routers are running the latest firmware and that default credentials are changed to reduce vulnerability exposure.

Monitoring network traffic for unusual DNS queries and employing network segmentation can help contain the impact of compromised routers. Vendor-issued advisories, if available, should be followed closely for specific mitigation guidance.

Key technical details

The cyber espionage campaign involves changing one DNS setting in the targeted routers, allowing APT28 to control or observe network traffic. This DNS manipulation is a form of infrastructure-level compromise, although the specific vulnerability exploited to gain initial access to these routers was not specified.

This strategy removes the need to deploy additional malicious code on endpoints or routers, enabling stealthier long-term surveillance capabilities.

Affected organizations/products

The campaign targets vulnerable small office/home office (SOHO) routers globally, with the ultimate goal of spying on organizations using these network devices. Specific brands or models affected were not disclosed in the source.

Source attribution

https://www.darkreading.com/threat-intelligence/russia-forest-blizzard-logins-soho-routers

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!