Russian Espionage Campaign Targets Home Routers

Sp123

15 Apr, 2026

The threat actor targets unprotected routers and manipulates their DNS settings so that traffic to certain domains gets redirected to an adversary-in-the-middle (AitM) site, where credentials and tokens to the actual site can be harvested and exfiltrated, before the traffic gets routed back to the real site.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

This is not the first time sophisticated threat actors have focused on routers in their cyber espionage campaigns. Truesec has previously reported how both Russian and Chinese threat actors have targeted routers.

Assessment

This campaign uses a well-known technique to harvest credentials and session tokens via an AitM site. The victim enters their credentials into a fake login page that stores the credentials and then redirects them to the real site, using the same credentials.

The novel part is that instead of using phishing links to lure the victim to visit the fraudulent site, they manipulate DNS records to direct them to the AitM site. This type of attack can be especially powerful against people working from home, with a private home router.

The attacks described appear to have primarily been directed against old MikroTik and TP-Link routers, but theoretically any router could be breached this way. Routers normally do not have nearly as much protection as computer clients and servers.

This is a reminder that not just clients, but routers and other OT devices are also increasingly targeted by threat actors.

We recommend that you review your organizational policies and guidelines governing the use and management of these types of devices, including both centrally managed corporate devices and personal devices used in home or remote environments. Assess your current capabilities to update, maintain, and secure these devices in order to reduce exposure and mitigate associated risks.

Wherever feasible, implement strong security measures such as VPN tunnels, multi-factor authentication (MFA), centralized DNS, traffic filtering, or similar controls. However, these measures may not always be practical or technically possible, and some level of risk may need to be accepted.

For further recommendations and best practices, review the list of mitigations provided by the NCSC. [2]

If you have any further questions, please do not hesitate to reach out to Truesec for support.