APT28 exploit routers to enable DNS hijacking operations
April 8, 2026, 11:02 a.m.
Description
Russian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise.
Tags
Date
- Created: April 7, 2026, 1:57 p.m.
- Published: April 7, 2026, 1:57 p.m.
- Modified: April 8, 2026, 11:02 a.m.
Indicators
- 103.140.186.148
- 185.237.166.227
- 185.237.166.56
- 185.237.166.75
- 185.237.166.241
- 185.234.73.62
- 185.237.166.66
- 185.237.166.59
- 64.44.154.240
- 64.44.154.238
- 185.234.73.58
- 185.237.166.239
- 185.234.73.61
- 185.237.166.57
- 185.237.166.247
- 185.237.166.229
- 185.237.166.244
- 185.237.166.224
- 185.237.166.242
- 185.237.166.67
- 185.237.166.73
- 64.44.154.237
- 185.237.166.71
- 185.237.166.236
- 64.44.154.227
- 185.237.166.72
- 103.140.186.149
- 185.237.166.65
- 185.237.166.234
- 185.237.166.63
- 185.237.166.245
- 185.237.166.248
- 185.237.166.74
- 185.237.166.64
- 103.140.186.155
- 185.237.166.62
- 185.237.166.61
- 185.237.166.69
- 64.44.154.239
- 185.237.166.233
- 185.237.166.70
- 185.237.166.55
- 185.237.166.237
- 185.237.166.238
- 185.237.166.246
- 185.237.166.232
- 185.237.166.58
- 185.237.166.231
- 185.237.166.235
- 185.237.166.68
- 185.237.166.225
- 185.237.166.243
- 185.237.166.228
- 185.237.166.249
- 185.237.166.226
- 185.237.166.230
- 185.237.166.60
- 185.237.166.240