Researchers link a global DNS hijacking campaign against old home routers redirecting traffic through servers hosted by Aeza International, a US-sanctioned Russian bulletproof hosting provider.
Home internet users across more than three dozen countries have had their web traffic redirected after attackers compromised outdated consumer routers, according to new research released on February 3 by Infoblox. The activity involved changes to router DNS settings, giving attackers control over where users were sent online while everyday browsing largely appeared normal.
The campaign targeted older home routers that remain widely used but no longer receive security updates. After gaining access, attackers altered the router’s DNS configuration, which determines how web traffic is routed. Because the change occurs at the router level, every phone, laptop, or smart device connected to the network is affected, often without the user realizing it.
According to Infoblox, the manipulated DNS traffic was routed to resolvers hosted by Aeza International, a Russian bulletproof hosting provider sanctioned by the US government in July 2025. From there, traffic was forwarded into an HTTP-based Traffic Distribution System. Infoblox researchers say users were first checked to confirm they originated from a compromised router before being routed further.
Infoblox’s blog post shared with Hackread.com adds that approved traffic was then sent through advertising and affiliate networks, which often led users to malicious or deceptive websites.
Renée Burton, vice president of Infoblox Threat Intel, said the campaign highlights how rarely users consider DNS as a security risk. When attackers control DNS at the router level, they gain influence over every connection behind it and can turn routine web activity into a revenue source.
The only way to mitigate this threat for home users is to replace outdated routers with current models that receive regular updates. Nevertheless, the findings go on to show that consumer networking devices remain a common access point for attackers, especially when routers continue to run without security updates long after official support has ended.
(Photo by Praveen kumar Mathivanan on Unsplash)