Signal
Russian military hackers exploit SOHO routers to steal Microsoft Office tokens and conduct espionage
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-04-07 14:00 UTCUpdated 2026-04-07 19:48 UTC
rss
cveexploitsbreachesmalwarethreat_actorsadvisories
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
Since at least August 2025, Russian military intelligence-linked threat actor Forest Blizzard (also known as Fancy Bear or APT28) has been compromising vulnerable small office/home office (SOHO) routers worldwide.
Entities
MicrosoftBlack Lotus LabsLumenForest BlizzardAPT28Fancy BearStorm-2754
Score total
1.49
Momentum 24h
5
Posts
5
Origins
5
Source types
1
Duplicate ratio
0%
Why now
- The campaign has been active since at least August 2025 and continues to affect thousands of networks.
- Recent disclosures by Microsoft, UK NCSC, and security researchers highlight ongoing risks.
- Immediate action is needed to secure SOHO routers and prevent further espionage and data theft.
Why it matters
- Compromised SOHO routers enable stealthy espionage and credential theft without malware deployment.
- Hijacked DNS settings facilitate adversary-in-the-middle attacks on critical sectors including government and energy.
- Awareness and mitigation are crucial to protect vulnerable consumer and small office network devices.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- Russian military intelligence-linked hackers have compromised over 18,000 networks and 5,000 consumer devices by exploiting SOHO router vulnerabilities to hijack DNS settings and steal Microsoft Office authentication...
How sources frame it
- Microsoft Threat Intelligence: neutral
This campaign underscores the critical need for securing consumer and small office routers to prevent state-sponsored espionage.
All evidence
All evidence
Russian Hackers Hit SOHO Routers in Cyberespionage Campaign
BankInfoSecurity · bankinfosecurity.com · 2026-04-07 19:48 UTC
Russia Hacked Routers to Steal Microsoft Office Tokens
krebsonsecurity · krebsonsecurity.com · 2026-04-07 17:02 UTC
Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns
The Register Security · go.theregister.com · 2026-04-07 17:02 UTC
Russian cyber spies targeting consumer, Soho routers
ComputerWeekly IT Security · computerweekly.com · 2026-04-07 14:55 UTC
SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks
Microsoft Security Blog · microsoft.com · 2026-04-07 14:00 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- BankInfoSecurity (1)
- krebsonsecurity (1)
- The Register Security (1)
- ComputerWeekly IT Security (1)
- Microsoft Security Blog (1)
Top origin domains (this list)
- bankinfosecurity.com (1)
- krebsonsecurity.com (1)
- go.theregister.com (1)
- computerweekly.com (1)
- microsoft.com (1)