{"id":60450,"date":"2026-04-07T14:00:00","date_gmt":"2026-04-07T14:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146395"},"modified":"2026-04-07T14:00:00","modified_gmt":"2026-04-07T14:00:00","slug":"soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/","title":{"rendered":"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-ab07d2a3-356f-463d-9624-ae904f01af7f\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-ab07d2a3-356f-463d-9624-ae904f01af7f\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\"><strong>Executive summary<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor\u2019s malicious infrastructure. The threat actor then hides behind this legitimate but compromised infrastructure to spy on additional targets or conduct follow-on attacks. Microsoft Threat Intelligence is sharing information on this campaign to increase awareness of the risks associated with insecure home and small-office internet routing devices and give users and organizations tools to mitigate, detect, and hunt for these threats where they might be impacted.&nbsp;<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-thick\">\n<p class=\"wp-block-paragraph\">Since at least August 2025, the Russian military intelligence actor <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/tag\/forest-blizzard-strontium\/\">Forest Blizzard<\/a>, and its sub-group tracked as Storm-2754, has conducted a large-scale exploitation of vulnerable small office\/home office (SOHO) devices to hijack Domain Name System (DNS) requests and facilitate the collection of network traffic. For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale.<\/p>\n<p class=\"wp-block-paragraph\">By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments. Microsoft Threat Intelligence has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard\u2019s malicious DNS infrastructure; telemetry did not indicate compromise of Microsoft-owned assets or services.<\/p>\n<p class=\"wp-block-paragraph\">Forest Blizzard, which primarily collects intelligence in support of Russian government foreign policy initiatives, has also leveraged its DNS hijacking activity to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains. This activity enables the interception of cloud-hosted content, impacting numerous sectors including government, information technology (IT), telecommunications, and energy\u2014all usual targets for this actor.<\/p>\n<p class=\"wp-block-paragraph\">While the number of organizations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor\u2019s broad access could enable larger-scale AiTM attacks, which might include active traffic interception. Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.<\/p>\n<p class=\"wp-block-paragraph\">In this blog, we share our analysis of the TTPs used by Forest Blizzard in this campaign to illustrate how threat actors leverage this attack surface. We\u2019re also outlining mitigation and protection recommendations to reduce exposure from compromised SOHO devices, as well as <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defender\">Microsoft Defender<\/a> detection and hunting guidance to help defenders identify and investigate related malicious activity. It\u2019s important for organizations to account for unmanaged SOHO devices\u2014particularly those used by remote and hybrid employees\u2014since compromised home and small\u2011office network infrastructure can expose cloud access and sensitive data even when enterprise environments and cloud services themselves remain secure.<\/p>\n<h2 class=\"wp-block-heading\" id=\"dns-hijacking-attack-chain-from-compromised-devices-to-aitm-and-other-follow-on-activity\">DNS hijacking attack chain: From compromised devices to AiTM and other follow-on activity<\/h2>\n<p class=\"wp-block-paragraph\">The following sections provide details on Forest Blizzard\u2019s end-to-end attack chain for this campaign, from initial access on vulnerable SOHO routers to actor-controlled DNS resolution and AiTM activity.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp\" alt class=\"wp-image-146397 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. DNS hijacking through router compromise<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"edge-router-compromise\">Edge router compromise<\/h3>\n<p class=\"wp-block-paragraph\">Forest Blizzard gained access to SOHO devices then altered their default network configurations to use actor-controlled DNS resolvers. This malicious re-configuration resulted in thousands of devices sending their DNS requests to actor-controlled servers.<\/p>\n<p class=\"wp-block-paragraph\">Typically, endpoint devices obtain network configuration settings from edge devices through Dynamic Host Configuration Protocol (DHCP). Exploiting SOHO devices requires minimal investment while providing wide visibility on compromised devices, allowing the actor to collect DNS traffic and passively observe DNS requests, which could facilitate follow-on collection activity as described in the next section.<\/p>\n<h3 class=\"wp-block-heading\" id=\"dns-hijacking\">DNS hijacking<\/h3>\n<p class=\"wp-block-paragraph\">Forest Blizzard is almost certainly using the dnsmasq utility to perform DNS resolution and provide responses while listening on port 53 for DNS queries. The dnsmasq utility is a legitimate tool that provides lightweight network services widely used in home routers or smaller networks. Among its services are DNS forwarding and caching and a DHCP server, which collectively enable upstream DNS query forwarding and IP address assignment on a local network.<\/p>\n<h3 class=\"wp-block-heading\" id=\"adversary-in-the-middle-attacks\">Adversary-in-the-middle attacks<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Threat Intelligence has observed AiTM attacks related to the initial access campaign. Although they target different endpoints, both are Transport Layer Security (TLS) AiTM attacks, allowing the threat actor to collect data being transmitted.<\/p>\n<p class=\"wp-block-paragraph\">In most cases, the DNS requests appear to have been transparently proxied by the actor\u2019s infrastructure, resulting in connections to the legitimate service endpoints without interruption. However, in a limited number of compromises, the threat actor spoofed DNS responses for specifically targeted domains to force impacted endpoints to connect to infrastructure controlled by the threat actor.<\/p>\n<p class=\"wp-block-paragraph\">The actor-controlled malicious infrastructure would then present an invalid TLS certificate to the victim, spoofing the legitimate Microsoft service. If the compromised user ignored warnings about the invalid TLS certificate, the threat actor could then actively intercept the underlying plaintext traffic\u2014potentially including emails and other customer content\u2014 within the TLS connection. Since Forest Blizzard does not always conduct AiTM activity after achieving initial access through DNS hijacking, the actor is likely using it selectively against targets of intelligence priority post-compromise:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>AiTM attack against Microsoft 365 domains<\/strong>: Microsoft observed Forest Blizzard conducting follow-on AiTM operations against a subset of domains associated with Microsoft Outlook on the web.<\/li>\n<li class=\"wp-block-list-item\"><strong>AiTM attack against specific government servers<\/strong>: Microsoft identified separate AiTM activity targeting non-Microsoft hosted servers in at least three government organizations in Africa, during which Forest Blizzard intercepted DNS requests and conducted follow-on collection.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"possible-post-compromise-activities\">Possible post-compromise activities<\/h3>\n<p class=\"wp-block-paragraph\">Forest Blizzard\u2019s DNS hijacking and AiTM activity allows the actor to conduct DNS collection on sensitive organizations worldwide and is consistent with the actor\u2019s longstanding remit to collect espionage against priority intelligence targets. Although we have only observed Forest Blizzard utilizing their DNS hijacking campaign for information collection, an attacker could use an AiTM position for additional outcomes, such as malware deployment or denial of service.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft recommends the following mitigation steps to protect against this Forest Blizzard activity:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Protection against DNS hijacking<\/strong><\/p>\n<p class=\"wp-block-paragraph\"><strong>Protection against AiTM and credential theft<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Centralize your organization\u2019s identity management into a single platform. If your organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third-party for identity management, ensure this data is being logged in a SIEM or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location.\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">The added benefits to centralizing all identity data is to facilitate implementation of&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/manage-apps\/plan-sso-deployment?ocid=magicti_ta_learndoc\">Single Sign On (SSO)<\/a>&nbsp;and provide users with a more seamless authentication process, as well as configure Microsoft Entra\u2019s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier.<\/li>\n<li class=\"wp-block-list-item\">It is recommended to&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/connect\/how-to-connect-password-hash-synchronization?ocid=magicti_ta_learndoc\">synchronize all user accounts<\/a>&nbsp;except administrative and high privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\">Strictly enforce multifactor authentication (MFA) and apply Conditional Access policies, particularly for privileged and high\u2011risk accounts, to reduce the impact of credential compromise. Use passwordless solutions like passkeys in addition to implementing MFA. <\/li>\n<li class=\"wp-block-list-item\">Implement\u202f<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/conditional-access\/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc\" target=\"_blank\" rel=\"noreferrer noopener\">continuous access evaluation<\/a> and <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/identity-protection\/howto-identity-protection-configure-risk-policies?ocid=magicti_ta_learndoc\">implement a sign-in risk policy<\/a>&nbsp;to automate response to risky sign-ins. A sign-in risk represents the probability that a given authentication request isn\u2019t authorized by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluates the risk level of a specific user or group. Based on the risk level (high\/medium\/low), a policy can be configured to block access or force multi-factor authentication. We recommend requiring multi-factor authentication on Medium or above risky sign-ins.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Follow best practices for <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/12\/21\/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises\/\">recovering from systemic identity compromises<\/a> outlined by Microsoft Incident Response.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-detection-and-hunting-guidance\">Microsoft Defender detection and hunting guidance<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defender\">Microsoft Defender<\/a> customers can refer to the following list of applicable detections. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-endpoint\">Microsoft Defender for Endpoint<\/h3>\n<p class=\"wp-block-paragraph\">The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. Microsoft tracks the specific component of Forest Blizzard associated with this activity as Storm-2754.<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Forest Blizzard Actor activity detected<\/li>\n<li class=\"wp-block-list-item\">Storm-2754 activity<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"entra-id-protection\">Entra ID Protection<\/h3>\n<p class=\"wp-block-paragraph\">The following Microsoft Entra ID Protection risk detection informs Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known Forest Blizzard attack patterns identified by Microsoft Threat Intelligence research:&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"hunting\">Hunting<\/h3>\n<p class=\"wp-block-paragraph\">Because initial compromise and DNS modification occur at the router-level, the following hunting recommendations focus on detecting post-compromise behavior.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Modifications to DNS settings<\/strong><\/p>\n<p class=\"wp-block-paragraph\">In identified activity, Forest Blizzard\u2019s compromise of an infected SOHO device resulted in the update of the default DNS setting on connected Windows machines.<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Identifying unusual modifications to DNS settings can be an identifier for malicious DNS hijacking activity.<\/li>\n<li class=\"wp-block-list-item\">Resetting the DNS settings and addressing vulnerable SOHO devices can resolve this activity, though these actions will not remediate an attacker who has managed to steal user credentials in follow-on AiTM activity.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\"><strong>Post-compromise activity<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Forest Blizzard\u2019s post-compromise AiTM activity could enable the actor to operate in the environment as a valid user. Establishing a baseline of normal user activity is important to be able to identify and investigate potentially anomalous actions. For Entra environments, Microsoft Entra ID Protection provides two important reports for daily activity monitoring:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/portal.azure.com\/#view\/Microsoft_AAD_IAM\/SecurityMenuBlade\/~\/RiskySignIns\">Risky sign-in reports<\/a> surfaces attempted and successful user access activities where the legitimate owner might not have performed the sign-in.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/portal.azure.com\/#view\/Microsoft_AAD_IAM\/SecurityMenuBlade\/~\/RiskyUsers\">Risky user reports<\/a> surfaces user accounts that might have been compromised, such as a leaked credential that was detected or the user signing in from an unexpected location in the absence of planned travel.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Defenders can surface highly suspicious or successful risky sign-ins using the following advanced hunting query in the Microsoft Defender XDR portal:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"13\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nAADSignInEventsBeta | where RiskLevelAggregated == 100 and (ErrorCode == 0 or ErrorCode == 50140) | project Timestamp, Application, LogonType, AccountDisplayName, UserAgent, IPAddress <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\">After stealing credentials, Forest Blizzard could potentially carry out a range of activity against targets as a legitimate user. For Microsoft 365 environments, the <em>ActionType<\/em> \u201cSearch\u201d or \u201cMailItemsAccessed\u201d in the <em>CloudAppEvents<\/em> table in the Defender XDR portal can provide some information on user search activities, including the Microsoft Defender for Cloud Apps connector that surfaces activity unusual for that user.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nCloudAppEvents\n| where AccountObjectId == \" \" \/\/ limit results to specific suspicious user accounts by adding the user here\n| where ActionType has_any (\"Search\", \"MailItemsAccessed\")\n<\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h3>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/ai-machine-learning\/microsoft-security-copilot\">Microsoft Security Copilot<\/a> is <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">embedded in Microsoft Defender<\/a> and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.<\/p>\n<p class=\"wp-block-paragraph\">Customers can also <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-agents-defender\">deploy AI agents<\/a>, including the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/agents-overview\">Microsoft Security Copilot agents<\/a>, to perform security tasks efficiently:<\/p>\n<p class=\"wp-block-paragraph\">Security Copilot is also available as a <a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/experiences-security-copilot\">standalone experience<\/a> where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/developer\/custom-agent-overview\">developer scenarios<\/a> that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.<\/p>\n<h3 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h3>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threat Intelligence podcast<\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/07\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor&#8217;s malicious infrastructure.<br \/>\nThe post SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[10758,1418,10855,10755],"class_list":["post-60450","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-adversary-in-the-middle-aitm","tag-cyberespionage","tag-forest-blizzard-strontium","tag-state-sponsored-threat-actor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-07T14:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks\",\"datePublished\":\"2026-04-07T14:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/\"},\"wordCount\":1995,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp\",\"keywords\":[\"Adversary-in-the-middle (AiTM)\",\"cyberespionage\",\"Forest Blizzard (STRONTIUM)\",\"State-sponsored threat actor\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/\",\"name\":\"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp\",\"datePublished\":\"2026-04-07T14:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adversary-in-the-middle (AiTM)\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/adversary-in-the-middle-aitm\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/","og_locale":"en_US","og_type":"article","og_title":"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-07T14:00:00+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks","datePublished":"2026-04-07T14:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/"},"wordCount":1995,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp","keywords":["Adversary-in-the-middle (AiTM)","cyberespionage","Forest Blizzard (STRONTIUM)","State-sponsored threat actor"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/","name":"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp","datePublished":"2026-04-07T14:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Forest-Blizzard-DNS-hijcaking-attack-chain.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Adversary-in-the-middle (AiTM)","item":"https:\/\/www.threatshub.org\/blog\/tag\/adversary-in-the-middle-aitm\/"},{"@type":"ListItem","position":3,"name":"SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60450"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60450\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}