The rise of SOHO router compromise campaigns, led by the Russia-linked threat actor Forest Blizzard, has turned poorly secured home and small-office devices into covert infrastructure for DNS hijacking and large-scale surveillance. By altering router DNS settings (often using dnsmasq) and conducting adversary-in-the-middle attacks against services like Outlook on the web and Microsoft 365, the group can monitor and intercept sensitive traffic across thousands of consumer and organizational networks. #ForestBlizzard #SOHORouter
Keypoints
- Forest Blizzard has systematically targeted vulnerable SOHO routers since at least August 2025 to build attacker-controlled DNS infrastructure.
- Compromised routers propagate malicious DNS settings via DHCP, causing all connected devices to use attacker-controlled resolvers.
- The group leverages dnsmasq to intercept, log, and respond to DNS queries while maintaining normal network behavior.
- Operations include passive monitoring and targeted AiTM attacks against Microsoft 365 (Outlook on the web) and government servers in multiple African countries.
- Recommended mitigations include Zero Trust DNS, DNS logging and blocking, MFA and passwordless authentication, Conditional Access, and enabling Microsoft Defender for Endpoint protections.
Read More: https://thecyberexpress.com/soho-router-compromise-forest-blizzard/