An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials.
The Russian threat group APT28, also tracked as Fancy Bear, Sofacy, Forest Blizzard, Strontium, Storm-2754, and Sednit, has been linked to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
In the FrostArmada attacks, the hackers compromised mainly small office/home office (SOHO) routers and altered the domain name system (DNS) settings to point to virtual private servers (VPS) under their control, which acted as DNS resolvers.
This allowed APT28 to intercept authentication traffic to targeted domains and steal Microsoft logins and OAuth tokens.
At its peak in December 2025, FrostArmada infected 18,000 devices across 120 countries, primarily targeting government agencies, law enforcement, IT and hosting providers, and organizations operating their own servers.
Microsoft, whose services were targeted by this campaign, worked together with Black Lotus Labs (BLL), Lumen’s threat research and operations division, to map the malicious activity and identify victims.
With support from the FBI, the U.S. Department of Justice, and the Polish government, the offending infrastructure has been taken offline.
FrostArmada activity
The attackers targeted internet-exposed routers, primarily MikroTik and TP-Link, as well as some firewall products from Nethesis and older Fortinet models.
Once compromised, the devices communicated with the attackers’ infrastructure and received DNS configuration changes that redirected traffic to malicious VPS nodes.
The new DNS settings were automatically pushed to internal devices via the Dynamic Host Configuration Protocol (DHCP).
When clients queried authentication-related domains the threat actor targeted, the DNS server returned the attacker’s IP instead of the real one, redirecting victims to an adversary-in-the-middle (AitM) proxy.
Source: Black Lotus Labs
The only visible sign of fraud for the victim would have been a warning for an invalid TLS certificate, which could have easily been dismissed. However, ignoring the alert gave the threat actor access to the victim’s unencrypted internet communication.
“The actor essentially ran a proxy service as the AitM that the end user was directed to via DNS,” Lumen’s Black Lotus Labs researchers explain.
“The only sign of this attack would be a pop-up warning about connecting to an untrusted source because of the ‘break and inspect’ configuration.”
“If warnings were present and ignored or clicked through, the actor proxied requests to the legitimate services, collecting the data at the midpoint and collecting data associated with the targeted account by passing the valid OAuth token.”
In some cases, though, the hackers spoofed DNS responses for certain domains, thus forcing affected endpoints to connect to the attack infrastructures, Microsoft says in a report today.
Lumen reports that FrostArmada operated in two distinct clusters, one called the ‘Expansion team’ dedicated to device compromise and botnet growth, and the second handling the AiTM and credential collection operations.
Source: Black Lotus Labs
The researchers report that FrostArmada activity increased sharply following an August 2025 report from the National Cyber Security Centre (NCSC) in the UK describing a Forest Blizzard toolset that targeted Microsoft account credentials and tokens.
Microsoft confirmed that APT28 carried out AitM attacks against domains associated with the Microsoft 365 service, as subdomains for Microsoft Outlook on the web have also been targeted.
Additionally, the company observed this activity on servers belonging to three government organizations in Africa that were not hosted on Microsoft infrastructure. In those attacks, “Forest Blizzard intercepted DNS requests and conducted follow-on collection.”
Black Lotus Labs also observed the threat actor targeting entities with on-premise email servers and “a small number of government organizations” in North Africa, Central America, and Southeast Asia.
The researchers note that “there was also a connection to a national identity platform in one European country.”
In a report today, the UK agency says that the AitM activity impacted both browser sessions and desktop applications, and the DNS hijacking is believed to have been opportunistic in nature to build a large pool of potential targets and then filtering those of interest.
Black Lotus Labs has published a small set of indicators of compromise for the VPS servers used during the FrostArmada campaign:
| IP address | First Seen | Last Seen |
|---|---|---|
| 64.120.31[.]96 | May 19, 2025 | March 31, 2026 |
| 79.141.160[.]78 | July 19, 2025 | March 31, 2026 |
| 23.106.120[.]119 | July 19, 2025 | March 31, 2026 |
| 79.141.173[.]211 | July 19, 2025 | March 31, 2026 |
| 185.117.89[.]32 | September 9, 2025 | September 9, 2025 |
| 185.237.166[.]55 | December 30, 2025 | December 30, 2025 |
The researchers note that defenders should implement certificate pinning for corporate devices (laptops, mobile phones) controlled via an MDM solution, which would generate an error when the attacker tries to intercept and analyze traffic on their VPS infrastructure.
Another recommendation is to minimize the attack surface through patching, limiting exposure on the public web, and removing all end-of-life equipment.
Microsoft and the NCSC also provide a list of IoCs and protection guidance to help defenders identify and prevent DNS hijacking attacks.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
