GoKawiilAn international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials.
The Russian threat group APT28, also tracked as Fancy Bear, Sofacy, Forest Blizzard, Strontium, Storm-2754, and Sednit, has been linked to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
In the FrostArmada attacks, the hackers compromised mainly small office/home office (SOHO) routers and altered the domain name system (DNS) settings to point to virtual private servers (VPS) under their control, which acted as DNS resolvers.
This allowed APT28 to intercept authentication traffic to targeted domains and steal Microsoft logins and OAuth tokens.
At its peak in December 2025, FrostArmada infected 18,000 devices across 120 countries, primarily targeting government agencies, law enforcement, IT and hosting providers, and organizations operating their own servers.
Microsoft, whose services were targeted by this campaign, worked together with Black Lotus Labs (BLL), Lumen's threat research and operations division, to map the malicious activity and identify victims.
With support from the FBI, the U.S. Department of Justice, and the Polish government, the offending infrastructure has been taken offline.
FrostArmada activity
The attackers targeted internet-exposed routers, primarily MikroTik and TP-Link, as well as some firewall products from Nethesis and older Fortinet models.
Once compromised, the devices communicated with the attackers’ infrastructure and received DNS configuration changes that redirected traffic to malicious VPS nodes.
... continue reading