SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Forest Blizzard (Storm-2754), a Russian military-linked threat actor, has been exploiting insecure small-office/home-office routers since at least August 2025 to change DNS settings and funnel DNS traffic to actor-controlled resolvers; this access has enabled large-scale DNS collection and selective TLS adversary-in-the-middle (AiTM) attacks—including interceptions against Microsoft Outlook on the web and targeted government servers—with Microsoft observing impacts to over 200 organizations and about 5,000 consumer devices and providing mitigation and hunting guidance.