The rise of SOHO router compromise campaigns has exposed a critical weakness in global network security, particularly as threat actors like Forest Blizzard continue to exploit poorly secured home and small-office devices.
According to security researchers, this Russia-linked group has been systematically targeting vulnerable routers since at least August 2025, transforming them into covert infrastructure for surveillance and follow-on cyberattacks.
Forest Blizzard and the Expanding SOHO Router Compromise Campaign
Forest Blizzard, a threat actor associated with Russian military intelligence and tracked in part as Storm-2754, has conducted widespread exploitation of SOHO devices. By leveraging the SOHO router compromise, the group has successfully hijacked Domain Name System (DNS) requests, allowing it to passively monitor and collect network traffic at scale.
Microsoft identified more than 200 organizations and over 5,000 consumer devices impacted by this malicious DNS infrastructure. Notably, telemetry showed no compromise of Microsoft-owned systems. However, the breadth of affected networks highlights the campaign’s reach and the effectiveness of targeting edge devices that often lack strong monitoring or security controls.
For actors like Forest Blizzard, DNS hijacking provides persistent and low-visibility access to sensitive data flows. By positioning themselves upstream of enterprise environments, attackers can observe and potentially manipulate traffic without directly breaching corporate systems.
How SOHO Router Compromise Leads to DNS Hijacking
After gaining access to vulnerable routers, Forest Blizzard alters their default configurations to use attacker-controlled DNS resolvers. This manipulation causes connected devices to unknowingly send DNS queries to malicious servers.
Most endpoint devices rely on routers for network configuration via the Dynamic Host Configuration Protocol (DHCP). Once a router is compromised, all connected devices inherit the malicious DNS settings. This makes the SOHO router a compromise, an efficient and scalable attack vector.
The group is believed to use the legitimate dnsmasq utility to handle DNS queries. While dnsmasq is commonly used in home networking for DNS forwarding and DHCP services, in this context, it enables attackers to intercept, log, and respond to DNS requests while maintaining the appearance of normal operations.
Forest Blizzard’s Use of Adversary-in-the-Middle Attacks
Beyond passive surveillance, Forest Blizzard has extended its SOHO router compromise operations to support adversary-in-the-middle (AiTM) attacks. These attacks specifically target Transport Layer Security (TLS) connections, enabling interception of sensitive communications.
In most cases, DNS traffic is transparently proxied, allowing users to connect to legitimate services without disruption. However, in select high-value scenarios, the attackers spoof DNS responses for targeted domains. This redirects victims to malicious infrastructure controlled by Forest Blizzard.
Once redirected, victims may encounter invalid TLS certificates mimicking legitimate services such as Outlook on the web. If users ignore certificate warnings, attackers can intercept plaintext data within the encrypted session. This may include emails and other sensitive cloud-hosted content.
Researchers observed two notable AiTM scenarios:
- Attacks on Microsoft 365 domains, particularly Outlook on the web.
- Targeted operations against government servers in at least three African countries, where DNS interception enabled further data collection.
Mitigation Strategies Against Forest Blizzard Threats
To counter risks associated with SOHO router compromise, researchers recommend several defensive measures. For DNS protection, organizations should enforce domain-based access controls using Zero Trust DNS (ZTDNS), block malicious domains, and maintain detailed DNS logs to detect anomalies. Enabling network and web protection features in Microsoft Defender for Endpoint further strengthens defenses.
Equally critical is addressing identity security. Centralizing identity management, enforcing multifactor authentication (MFA), and applying Conditional Access policies can reduce the impact of credential theft from AiTM attacks. It is also advised to adopt passwordless solutions such as passkeys and restrict authentication to trusted devices and locations.
