Compromised Routers, DNS, and a TDS Hidden in Aeza Networks

This report details a persistent campaign where attackers compromise routers and configure them to use shadow DNS resolvers operated from Aeza International (AS210644), using an EDNS0-avoidance trick and an HTTP-based TDS to fingerprint users and funnel traffic to affiliate/adtech links or malicious content; the infrastructure has been active for years, includes dozens of recursive resolvers (examples listed), and enables potential adversary-in-the-middle actions beyond advertising.