Russia's GRU Stopped Using Malware—It Just Changed the DNS on 18,000 Home Routers to Steal Outlook Email

Why the GRU Stopped Using Malware

For years, Forest Blizzard ran malware on the routers it took over. The custom firmware implant gave Moscow persistent control of compromised devices and was useful for staging operational infrastructure on geographically diverse residential IP space. It also left forensic artifacts that defenders could attribute and signature.

On August 5, 2025, the UK's National Cyber Security Centre published Authentic Antics, a joint advisory exposing the malware family in detail. Lumen's report describes what happened next: "Lumen saw widespread router exploitation and DNS redirection beginning the next day." The GRU read the advisory, abandoned the implant approach, and pivoted to something simpler.

The new tradecraft was administrative, not exploit driven. The attackers logged into the router's web interface using known default credentials or unpatched authentication bypasses, opened the DNS settings page, and changed the upstream DNS server to a virtual private server in their control. As one researcher quoted by Krebs put it: "These guys didn't use malware. They did this in an old school, graybeard way that isn't really sexy but it gets the job done."

The DNS Wins Because the User Trusts the Browser

Once a router's DNS resolver belongs to the attacker, every device on the home network—laptop, phone, tablet, smart TV—asks the attacker's server for IP addresses. The attacker's resolver is selective: most domain lookups get the right answer, returned at normal speed, indistinguishable from a legitimate ISP resolver. A tiny number of domains—the authentication endpoints for Microsoft 365 and a few specific email providers—get pointed to a different IP, owned by the attacker, running an adversary in the middle proxy.

When a victim navigates to outlook.com, their browser opens a TLS connection to whatever IP DNS handed back. The attacker's proxy presents a TLS certificate that does not match outlook.com. The browser shows a certificate warning. The user clicks through. They click through because they have clicked through dozens of certificate warnings before, on hotel WiFi, on captive portals, on enterprise networks with self signed inspection certificates. The warning is, in their experience, the kind of false positive that gets cleared by clicking "advanced" and "proceed anyway."

From there, the proxy is a transparent Evilginx style relay. It forwards the credentials and the OAuth challenge to the real Microsoft endpoint. The real endpoint, satisfied, issues a real session cookie and a real OAuth token. The proxy keeps copies and forwards the response to the victim. The login "works." The token in the GRU's database is valid and replayable from any IP, on any user agent, until it expires.

18,000 IPs, 120 Countries, the Targets That Mattered

At its December 2025 peak, Lumen tracked more than 18,000 unique IP addresses in at least 120 countries communicating with Forest Blizzard's infrastructure. The blast radius was global, but the operation was selective. Lumen attributed actual victim status to roughly 200 organizations and 5,000 consumer devices—the others were collateral exposure that the campaign apparently did not act on.

The targets, per Lumen, were the ones a Russian intelligence service would prioritize:

• Ministries of foreign affairs in North African, Central American, and Southeast Asian countries
• National law enforcement agencies in those same regions
• A European national identity platform
• Third party IT and hosting providers in Europe—the kind of vendor that operates email infrastructure for multiple government clients

The geographic scatter is a feature. By compromising a router in a foreign ministry employee's home, the GRU obtained Outlook tokens from a residential IP that looked nothing like a known threat actor's infrastructure. The same logic applies to journalists, contractors, and dissidents whose home networks are easier to reach than their workplace networks. We have covered the parallel pattern of state actors targeting government and journalist email through different mechanisms—the FrostArmada campaign is the home network half of the same playbook. Iran's MuddyWater group runs an inverse version of the same idea, where the operator wraps an espionage operation in fake ransomware so it gets triaged as commodity crime.

The Routers in Question Were All End of Life

The compromised devices were not the routers consumers buy this year. They were the routers consumers bought five to eight years ago, never updated, and forgot about. Lumen's recommended remediation list begins with: "Remove all end of life equipment from both personal and corporate networks."

The exact CVEs were not published in the Lumen blog, but the company noted that the actor "exploited CVEs associated with vulnerabilities in the web interface on TP-Link and MikroTik routers" and referenced older Fortinet enterprise firewalls as parallel target classes. The common factor across all three is a web administration interface, exposed to the public internet by default, on a device whose firmware has not received an update in years.

The math the GRU did was straightforward: there are millions of these devices online globally, a meaningful fraction belong to people whose email is worth reading, and bulk vulnerability scanning costs almost nothing. Once the attacker had administrative access, the change was a single DNS field. There were no second stage payloads to maintain, no command and control infrastructure to harden against takedown, no malware signatures to evade. The router itself was the implant.

How the Operation Got Disrupted

The takedown, announced April 7, 2026, was a multi party effort: Lumen Technologies (which contributed the network telemetry from its global backbone), Microsoft (which sees the OAuth side of the problem and was watching Outlook on the web request anomalies), the FBI, the Department of Justice, and international partners. BleepingComputer's coverage describes the operation as taking the malicious DNS resolver infrastructure offline, which—because the routers themselves are intact and still resolving against attacker servers in the absence of takedown—required either replacing the upstream IPs or seizing them outright.

The takedown breaks the campaign's current operational tempo. It does not replace the firmware on 18,000 routers, fix the underlying CVEs, or stop the next operator who buys the same playbook. The infrastructure can be rebuilt on different VPS providers within a week. The home routers will still be compromised the next morning unless their owners reset them and apply firmware updates that, in many cases, the manufacturer has stopped publishing.

What Anyone With a Home Router Should Do This Week

FrostArmada's targeting was governmental, but the technique is portable. The same tradecraft works against any home or small office user whose router model is in a similar end of life state. The defensive moves are concrete and universal:

• Check your router's firmware date. Log into the admin interface (the IP is usually on a sticker on the device). If the firmware build is more than two years old or the manufacturer has stopped publishing updates for your model, replace the router.
• Change the admin password to something unique. The default admin/admin or admin/password combinations are how most of the FrostArmada compromises started.
• Verify your DNS settings. In the router's WAN or DHCP settings, the upstream DNS should be your ISP's resolver, 1.1.1.1 (Cloudflare), 8.8.8.8 (Google), or 9.9.9.9 (Quad9). If the entries are anything else—random VPS IPs in unfamiliar countries—the router is compromised. Reset to factory and reflash.
• Disable remote administration. If you don't need to manage the router from the public internet, the WAN side admin interface should be off.
• Use phishing resistant MFA on Microsoft 365 and Google Workspace. Hardware security keys and passkeys defeat the OAuth proxy step entirely. The proxy can intercept TOTP codes and push approvals; it cannot complete a passkey handshake against a different domain.
• Take TLS warnings seriously. A certificate warning on a major email provider's domain is, statistically, almost never a false positive. Close the tab. Call IT. Do not click "proceed anyway."

The Inbox Is the Asset

The FrostArmada campaign reframes a question that often gets asked the wrong way around. The question is not "what's the security posture of my Microsoft 365 tenant." The question is "what's the security posture of every network my Microsoft 365 token has been seen on this year." A foreign ministry's email infrastructure can be hardened to the limits of the budget. The home router belonging to one of its diplomats, on a residential ISP in a third country, was the soft target the GRU spent eight months exploiting.

The same logic applies to journalists, activists, and anyone whose email is worth reading to a state. The inbox is the asset. The path to the inbox runs through the user's network—and on most user networks, the weakest device in the chain is a router that hasn't been updated since the operating system on the laptop next to it was on a previous major version.

The takedown bought a window. It did not change the structural fact that millions of vulnerable devices remain online, and that the next operator to weaponize them will not need a malware family that the NCSC can publish a report about.