Attackers quietly compromise old routers and reroute DNS traffic to a shadow network, steering users toward malicious destinations.
Infoblox Threat Intel has uncovered a global campaign where attackers silently break into outdated routers and take control of one of the internet’s most fundamental trust mechanisms: DNS. Once inside, the actor reroutes DNS queries to a hidden, attacker‑controlled infrastructure turning home and office networks into unknowingly compromised environments.
The effect is similar to hijacking a digital map. You enter the correct destination, but someone else decides where you actually go. Most of the time, it appears normal; occasionally, it diverts you somewhere profitable for the attacker. Crucially, every device on the Wi‑Fi laptops, phones, smart home gear gets caught in the same manipulation.
How the Attack Works
Infoblox’s research shows the threat actor is infiltrating older routers worldwide and altering just one setting: DNS resolution. Instead of sending DNS queries to the user’s Internet Service Provider (ISP), compromised routers forward them to resolvers hosted by Aeza International a “bulletproof” hosting provider sanctioned by the U.S. government in July 2025.
These shadow DNS resolvers behave normally for major domains like Google, but for many others they unpredictably redirect users to an attacker‑run Traffic Distribution System (TDS).
Once traffic enters the TDS, the attackers fingerprint each user to confirm the request came from a compromised router. If validated, victims are quietly funneled through affiliate schemes and often on to malicious content a hidden monetization pipeline that exploits everyday browsing.
What Researchers Found
- Global footprint: Router compromises have been observed across more than three dozen countries, indicating a highly distributed and ongoing campaign.
- Silent DNS takeover: Attackers remotely modify router DNS settings, redirecting all connected devices phones, laptops, IoT gadgets to Aeza‑hosted “shadow” resolvers.
- Malicious routing via TDS: After fingerprinting, victims are pushed through adtech platforms that frequently culminate in harmful sites.
The Core Risk: Trust in DNS
“Most people never think about who their router asks for directions on the internet they just trust that the answer is right,” said Renée Burton, Vice President of Infoblox Threat Intel. “This campaign shows how dangerous it is when that trust is quietly hijacked: once attackers control DNS on the router, they gain a silent steering wheel for every internet connection behind it and can turn ordinary browsing into a profitable detour.”
How Users and Organisations Can Protect Themselves
For individuals, the most practical fix is straightforward: upgrade to a modern router, as older devices are disproportionately vulnerable.
For organisations, Infoblox advises treating DNS as mission‑critical security infrastructure. That means implementing controls capable of detecting and blocking traffic heading toward known malicious or shadow resolver networks before users are silently redirected.
