SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks
Forest Blizzard, a threat group associated with the Russian military, has been exploiting poorly secured home and small-office internet devices—such as routers—by taking control of them and altering their configurations. This allows the attackers to incorporate these devices into their malicious network.
They then use this seemingly legitimate but compromised infrastructure to conceal their activities, enabling them to monitor additional targets or launch further attacks. Microsoft Threat Intelligence has released details about this campaign to raise awareness of the dangers posed by unsecured networking devices and to provide guidance on how individuals and organizations can detect, prevent, and respond to such threats.
Since at least August 2025, the Russian military intelligence group Forest Blizzard—along with its sub-group Storm-2754—has been carrying out a widespread campaign targeting vulnerable small office and home office (SOHO) devices.
By exploiting these devices, the group has been able to hijack Domain Name System (DNS) requests and capture network traffic. For state-sponsored actors like Forest Blizzard, DNS hijacking provides a scalable way to maintain ongoing, passive surveillance and gather intelligence.
By breaching edge devices that sit upstream from larger targets, attackers can exploit systems that are often less monitored or poorly managed, using them as entry points into enterprise networks.
Microsoft Threat Intelligence has identified more than 200 affected organizations and around 5,000 compromised consumer devices linked to this malicious DNS infrastructure. There is no evidence suggesting that Microsoft’s own assets or services were compromised.
Find out more here – https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.
