DOJ quietly removed Russian malware from routers in US homes and businesses

More than 1,000 Ubiquiti EdgeOS routers that had not changed their default administrative passwords were infected with the Moobot malware and repurposed by Russian GRU-linked actors (Fancy Bear/APT28) into a botnet used for spearphishing and credential harvesting; in January 2024 the DOJ and FBI executed a court-authorized disruption (Operation Dying Ember) that removed the malware, copied and deleted botnet files, changed firewall rules to block remote management, and temporarily collected non-content routing information to expose GRU attempts to interfere.