The technique marks an operational evolution for the group, also known as Fancy Bear, Sofacy, Forest Blizzard and Pawn Storm. Long associated with intelligence collection against NATO governments, Ukraine, defence contractors, political organisations and critical infrastructure, APT28 is no longer relying only on cloud servers, rented hosting and bespoke implants. Its use of consumer and small-office routers gives it infrastructure that looks ordinary, sits close to intended victims and is harder for defenders to block at scale.
The activity centres on Ubiquiti EdgeRouters infected by MooBot, a Mirai-derived botnet family originally deployed by criminal operators against devices still using default or weak administrator credentials. Rather than build that network from the ground up, GRU-linked operators gained access to infected routers, installed scripts and binaries and repurposed the devices as an espionage platform.
Compromised EdgeRouters have been used to collect Net-NTLMv2 authentication material, proxy network traffic, host spear-phishing landing pages and stage custom Python tooling. Investigators found Bash scripts and Linux ELF binaries on targeted devices, including tools designed to exploit backdoored OpenSSH services and support credential theft. Some activity was linked to exploitation of Microsoft Outlook vulnerability CVE-2023-23397, used to leak authentication hashes to actor-controlled systems.
A court-authorised US operation, disclosed in February 2024, disrupted parts of the MooBot network by deleting malicious files from infected routers and changing firewall rules to block remote access by the operators. The action blunted one layer of the infrastructure but did not remove the wider problem: millions of routers remain poorly maintained, exposed to remote access or dependent on firmware that users rarely update.
The router pivot has since widened beyond MooBot. APT28-linked infrastructure has been tied to a DNS hijacking campaign known as FrostArmada, involving vulnerable MikroTik and TP-Link devices. Instead of infecting a victim laptop directly, the operators changed DHCP and DNS settings on compromised routers so connected phones, computers and office systems automatically sent selected lookups to attacker-controlled resolvers.
That approach enables adversary-in-the-middle attacks against web and email services. When a targeted user attempts to reach a login domain, malicious DNS responses can direct the connection through an interception node, where passwords, OAuth tokens and session data may be collected. Non-targeted traffic can still resolve normally, reducing the chance that users notice unusual behaviour.
The scale of the activity illustrates the appeal of unmanaged edge devices. During peak FrostArmada activity in December 2025, more than 18,000 unique IP addresses across at least 120 countries were seen communicating with the infrastructure. More than 200 organisations and about 5,000 consumer devices were identified as affected, with targets spanning government, defence, logistics, telecommunications, information technology, energy and third-party email services.
The campaign also shows how state-backed operators are blending criminal infrastructure, commodity devices and tailored intelligence requirements. APT28’s operators appear to cast a wide net, then filter the victim pool for accounts and organisations of value. This model reduces the need to place heavy malware on protected enterprise systems while creating access points through remote workers, small offices and suppliers outside central security monitoring.
For network defenders, the implications are uncomfortable. Blocking a known malicious server is simpler than identifying traffic proxied through residential or small-business IP addresses. Router forensics are often thin, logs may be unavailable, and many small-office devices sit outside routine patching cycles. Even when law enforcement takes down part of a botnet, abandoned devices can be re-compromised or folded into a new operational network.
The activity reinforces APT28’s broader pattern of adapting tradecraft without abandoning older methods. The group has continued to use credential harvesting, spear-phishing, webmail exploitation and custom implants alongside router-based infrastructure. Edge devices now act as a complementary layer, providing stealth, proximity and resilience for intelligence collection rather than indiscriminate disruption.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
