Compromised Routers, DNS, and a TDS Hidden in Aeza Networks

This report describes a long-running campaign where routers were compromised and their DNS settings changed to use shadow resolvers hosted by a bulletproof hosting provider (Aeza International), enabling a DNS+HTTP traffic distribution system that fingerprints devices and redirects users to affiliate/adtech links or malicious content; the actor employs an EDNS0-based probing restriction and short TTLs to evade detection and maintain control, and the infrastructure has been observed actively redirecting traffic and, in some cases, delivering cryptominers and locking admin access.