FrostArmada campaign disrupted: APT28 router hijacking operation halted

An international law enforcement operation, in collaboration with private cybersecurity firms, has successfully disrupted FrostArmada, a sophisticated campaign orchestrated by the Russian threat group APT28. This operation involved hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials, Bleeping Computer reports.

APT28, also known as Fancy Bear, compromised small office/home office routers, altering their DNS settings to redirect traffic to attacker-controlled virtual private servers. These servers acted as DNS resolvers, enabling the interception of authentication traffic and the theft of Microsoft logins and OAuth tokens. At its peak in December 2025, FrostArmada infected approximately 18,000 devices across 120 countries, primarily targeting government agencies, law enforcement, and IT providers. The attack method involved redirecting users to an adversary-in-the-middle proxy, often masked by TLS certificate warnings that victims might dismiss.

Organizations are advised to implement security best practices, including regular patching, minimizing attack surfaces, and considering measures like certificate pinning to defend against similar DNS hijacking and credential theft campaigns.

Source: Bleeping Computer