Just in:
PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // Oil gains as Gulf truce faces strain // Hawaii tests plastic waste in roads // Alibaba Cloud gains edge in agentic AI race // ClawHub breach exposes agent marketplace risk // Construction Management Awards 2026 – Now open for nomination Introduction of the Inaugural “Excellent Construction Safety Culture Award” Guides the Construction Industry Toward a New Milestone in Safety // XRG and Eni deepen Argentina LNG push // 5 Law Firms Making a Difference in Cincinnati // CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // Where Minds Meet to Launch Space Economy Association Off the Ground // Ras Tanura crash kills Aramco personnel // Abu Dhabi starts new Saadiyat arts landmark // Bracell Welcomes Fernando Branco’s Appointment to Lead ABAF and Reinforces Commitment to Sustainable Forestry Development in Bahia // Afogreen Build Highlights Growing Adoption of Building Performance Modelling in Australia’s Sustainability-Driven Construction Sector // Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success // Anthropic reopens Mythos 5 for cyber defenders // Cheap RAT spreads through Telegram channels // Bid To Rebuild Bengal To Its Old Glory Is Welcome, Though Difficult // Beijing widens Japan curbs as Takaichi row deepens // PlayStation sales hit May low //

Routers deepen APT28’s espionage reach

Russian military-linked hackers tracked as APT28 have shifted cyber operations into compromised internet routers, using the MooBot botnet and vulnerable edge devices to harvest credentials, route traffic and host malicious tools across dispersed global infrastructure.

The technique marks an operational evolution for the group, also known as Fancy Bear, Sofacy, Forest Blizzard and Pawn Storm. Long associated with intelligence collection against NATO governments, Ukraine, defence contractors, political organisations and critical infrastructure, APT28 is no longer relying only on cloud servers, rented hosting and bespoke implants. Its use of consumer and small-office routers gives it infrastructure that looks ordinary, sits close to intended victims and is harder for defenders to block at scale.

The activity centres on Ubiquiti EdgeRouters infected by MooBot, a Mirai-derived botnet family originally deployed by criminal operators against devices still using default or weak administrator credentials. Rather than build that network from the ground up, GRU-linked operators gained access to infected routers, installed scripts and binaries and repurposed the devices as an espionage platform.

ADVERTISEMENT

Compromised EdgeRouters have been used to collect Net-NTLMv2 authentication material, proxy network traffic, host spear-phishing landing pages and stage custom Python tooling. Investigators found Bash scripts and Linux ELF binaries on targeted devices, including tools designed to exploit backdoored OpenSSH services and support credential theft. Some activity was linked to exploitation of Microsoft Outlook vulnerability CVE-2023-23397, used to leak authentication hashes to actor-controlled systems.

A court-authorised US operation, disclosed in February 2024, disrupted parts of the MooBot network by deleting malicious files from infected routers and changing firewall rules to block remote access by the operators. The action blunted one layer of the infrastructure but did not remove the wider problem: millions of routers remain poorly maintained, exposed to remote access or dependent on firmware that users rarely update.

The router pivot has since widened beyond MooBot. APT28-linked infrastructure has been tied to a DNS hijacking campaign known as FrostArmada, involving vulnerable MikroTik and TP-Link devices. Instead of infecting a victim laptop directly, the operators changed DHCP and DNS settings on compromised routers so connected phones, computers and office systems automatically sent selected lookups to attacker-controlled resolvers.

That approach enables adversary-in-the-middle attacks against web and email services. When a targeted user attempts to reach a login domain, malicious DNS responses can direct the connection through an interception node, where passwords, OAuth tokens and session data may be collected. Non-targeted traffic can still resolve normally, reducing the chance that users notice unusual behaviour.

The scale of the activity illustrates the appeal of unmanaged edge devices. During peak FrostArmada activity in December 2025, more than 18,000 unique IP addresses across at least 120 countries were seen communicating with the infrastructure. More than 200 organisations and about 5,000 consumer devices were identified as affected, with targets spanning government, defence, logistics, telecommunications, information technology, energy and third-party email services.

The campaign also shows how state-backed operators are blending criminal infrastructure, commodity devices and tailored intelligence requirements. APT28’s operators appear to cast a wide net, then filter the victim pool for accounts and organisations of value. This model reduces the need to place heavy malware on protected enterprise systems while creating access points through remote workers, small offices and suppliers outside central security monitoring.

For network defenders, the implications are uncomfortable. Blocking a known malicious server is simpler than identifying traffic proxied through residential or small-business IP addresses. Router forensics are often thin, logs may be unavailable, and many small-office devices sit outside routine patching cycles. Even when law enforcement takes down part of a botnet, abandoned devices can be re-compromised or folded into a new operational network.

The activity reinforces APT28’s broader pattern of adapting tradecraft without abandoning older methods. The group has continued to use credential harvesting, spear-phishing, webmail exploitation and custom implants alongside router-based infrastructure. Edge devices now act as a complementary layer, providing stealth, proximity and resilience for intelligence collection rather than indiscriminate disruption.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Bid To Rebuild Bengal To Its Old Glory Is Welcome, Though Difficult // Hawaii tests plastic waste in roads // Binzhou’s Leap from Manufacturing to Intelligent Manufacturing // Anthropic reopens Mythos 5 for cyber defenders // Dubai advances Gold Line contractor race // ClawHub breach exposes agent marketplace risk // Bracell Welcomes Fernando Branco’s Appointment to Lead ABAF and Reinforces Commitment to Sustainable Forestry Development in Bahia // Beijing widens Japan curbs as Takaichi row deepens // Cheap RAT spreads through Telegram channels // Tehran blocks French role in Hormuz clearance // Oil gains as Gulf truce faces strain // France and Oman press toll-free Hormuz passage // Ras Tanura crash kills Aramco personnel // CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // Where Minds Meet to Launch Space Economy Association Off the Ground // 5 Law Firms Making a Difference in Cincinnati // Abu Dhabi starts new Saadiyat arts landmark // Construction Management Awards 2026 – Now open for nomination Introduction of the Inaugural “Excellent Construction Safety Culture Award” Guides the Construction Industry Toward a New Milestone in Safety // Afogreen Build Highlights Growing Adoption of Building Performance Modelling in Australia’s Sustainability-Driven Construction Sector // Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success //