Signal

Russian APT28 exploits home routers for espionage and AiTM attacks

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-08 10:50 UTCUpdated 2026-04-08 13:50 UTC

rss

cveexploitsbreachesmalwarethreat_actorsadvisories

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (4)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

The Hacker News · News · thehackernews.com · 2026-04-08 13:50 UTC

Russian hacking group targets home and small office routers to spy on users

Malwarebytes Threat Analysis · News · malwarebytes.com · 2026-04-08 13:31 UTC

US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

SecurityWeek · News · securityweek.com · 2026-04-08 10:54 UTC

Forest Blizzard leverages router compromises to launch AiTM attacks, target Outlook sessions

CSO Online · News · csoonline.com · 2026-04-08 10:50 UTC

View all evidence

Overview

The Russian threat group APT28, also known as Forest Blizzard, has been conducting a widespread cyber espionage campaign by compromising home and small office routers.

Entities

MicrosoftTP-LinkMikroTikPRISMEX

Score total

1.4

Momentum 24h

4

Posts

4

Origins

4

Source types

1

Duplicate ratio

0%

Why now

Recent US actions have disrupted part of the operation, signaling active countermeasures.
New malware PRISMEX deployment shows evolving tactics by APT28 against Ukraine and NATO allies.
Thousands of devices and hundreds of organizations remain vulnerable to these ongoing attacks.

Why it matters

APT28’s router hijacking enables stealthy interception of sensitive cloud and email traffic.
The campaign targets critical sectors, posing risks to government and infrastructure security.
US disruption efforts highlight the ongoing geopolitical cyber conflict involving state-sponsored espionage.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

APT28 compromises home and small office routers to hijack DNS and spy on users
APT28 uses router compromises to launch adversary-in-the-middle attacks targeting Microsoft Outlook and cloud services
APT28 deployed PRISMEX malware in spear-phishing campaigns against Ukraine and NATO allies

How sources frame it

Malwarebytes Threat Analysis: neutral
CSO Online: neutral
SecurityWeek: neutral
The Hacker News: neutral

All evidence

All evidence

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

The Hacker News · thehackernews.com · 2026-04-08 13:50 UTC

Russian hacking group targets home and small office routers to spy on users

Malwarebytes Threat Analysis · malwarebytes.com · 2026-04-08 13:31 UTC

US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

SecurityWeek · securityweek.com · 2026-04-08 10:54 UTC

Forest Blizzard leverages router compromises to launch AiTM attacks, target Outlook sessions

CSO Online · csoonline.com · 2026-04-08 10:50 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 4Origin domains: 4Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 4 / 0

Top publishers (this list)

The Hacker News (1)
Malwarebytes Threat Analysis (1)
SecurityWeek (1)
CSO Online (1)

Top origin domains (this list)

thehackernews.com (1)
malwarebytes.com (1)
securityweek.com (1)
csoonline.com (1)