APT28 Amplifies Cyber Operations Through DNS Hijacking and Spear-Phishing
APT28, a Russian state-affiliated threat group, has enhanced its cyber operations by launching significant campaigns: a global DNS hijacking initiative targeting SOHO routers and a spear-phishing effort utilizing the PRISMEX malware suite. These operations reflect a shift towards complex attack strategies that combine infrastructure-level compromises with endpoint exploitation.
The FrostArmada campaign exploits vulnerabilities in MikroTik and TP-Link routers by modifying their DNS settings to redirect traffic. This manipulation allows the adversary to conduct Adversary-in-the-Middle attacks, intercepting user credentials and redirecting users to malicious sites without their awareness. Initial observations indicate that over 18,000 IP addresses from more than 120 countries communicated with the attackers’ infrastructure. Meanwhile, the parallel PRISMEX campaign targets government entities and NATO-aligned organizations through carefully crafted spear-phishing emails, incorporating steganography to conceal malicious payloads.
The attacks leverage specific zero-day vulnerabilities, particularly two security feature bypass vulnerabilities in Microsoft products. CVE-2026-21509 and CVE-2026-21513 enable the stealthy execution of malicious payloads, allowing attackers to establish persistence and maintain command-and-control communications through legitimate cloud services. The potential disruption of critical systems alongside intelligence gathering underscores the dual objectives of these campaigns.
Defensive Context
Organizations operating in sectors such as government, defense, and logistics should be particularly vigilant. The DNS hijacking attack mechanics can serve as an effective pivot point for wider network intrusions. The nature of these campaigns makes them a persistent threat, especially for entities reliant on vulnerable SOHO hardware. Entities with such router setups are at heightened risk, while those not using these devices in their infrastructure may find themselves less immediately affected.
Why This Matters
Organizations with exposed SOHO routers are at significant risk of data exfiltration and compromise. The techniques employed by APT28 highlight the need for awareness regarding network configurations and the necessity for oversight of DNS settings to prevent interception.
Environment Exposure
The risk is relevant when organizations utilize vulnerable routers, particularly so in connected environments with limited security controls. If organizations have already secured their devices and infrastructures against such attacks, they may discover themselves less vulnerable to this particular threat vector.
Indicators of Compromise (IOCs)
- IP Addresses: 64.120.31.96, 79.141.160.78
- Domains: wellnesscaremed.com
- Vulnerabilities: CVE-2023-50224, CVE-2026-21509, CVE-2026-21513
- Suspicious behaviors include DNS requests to unauthorized resolvers and execution of untrusted .LNK files.
