A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic. In FrostArmada, Lumen observed Forest Blizzard using that technique to feed targeted logins into Attacker-in-the-Middle (AitM) infrastructure, scaling from limited activity to thousands of victims worldwide. Learn how we tracked it, how it impacted target organizations and what you can do to defend your organization against it.

Details at a glance

• Black Lotus Labs is tracking FrostArmada, a campaign we associate with the Forest Blizzard threat actor.
• We found that Forest Blizzard created and exclusively operationalized the supporting network to pursue targets aligned with its strategic interests.
• The actor compromised edge devices (notably MikroTik and TP-Link routers) and modified DNS settings to redirect select authentication-related traffic.
• Redirection funneled victims to AitM infrastructure, enabling credential and token collection with minimal end-user interaction.
• After the U.K. National Cyber Security Centre (NCSC) published the report Authentic Antics on August 5, 2025, Lumen saw widespread router exploitation and DNS redirection beginning the next day, suggesting rapid tradecraft adaptation.
• Lumen Technologies, in collaboration with Microsoft, the FBI, the DOJ and international partners, disrupted the infrastructure and took it offline.

What we observed

Black Lotus Labs, the threat research team at Lumen Technologies, has been tracking a campaign named “FrostArmada” associated with the threat actor group “Forest Blizzard” and its affiliated monikers. We assessed that this network was created and exclusively operationalized by the Forest Blizzard threat actor and is used to conduct operations against targeted organizations aligned with that actor’s strategic interests.

This campaign was notable as it demonstrated a new tactic for Forest Blizzard. Their technique modified DNS settings on compromised routers to hijack local network traffic to capture and exfiltrate authentication credentials. When targeted domains were requested by a user, the actor redirected traffic to an Attacker-in-the-Middle (AitM)node, where those credentials were harvested and exfiltrated. This approach enabled a nearly invisible attack that required no interaction from the end user.

The earliest activity began in May 2025, with limited targeting. However, after the NCSC released its report, Authentic Antics, on August 5, 2025 describing a tool for stealing Microsoft Office credentials, Lumen detected widespread router exploitation and DNS redirection starting August 6, 2025. This timing indicates that the threat actor quickly adapted their methods.

At the peak of activity in December 2025, Lumen detected over 18,000 unique IPs from at least 120 countries communicating with Forest Blizzard’s infrastructure. These operations primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers.

To address this threat, we shared threat intelligence with relevant public and private organizations. Lumen would like to thank the Microsoft Threat Intelligence Team (MSTIC), FBI, and U.S. Department of Justice (DOJ) for their support. At the time of publication, Lumen blocked traffic to the affected infrastructure and added Indicators of Compromise (IOC) into Lumen Defender^SM to protect our customers our customers. For additional information on this campaign, please see MSTIC's report here.

Background and context

The Lumen team is actively tracking Forest Blizzard, a highly adaptive and persistent threat actor linked to Russia’s GRU Unit 26165. Known for blending cutting-edge tools such as the large language model (LLM) “LAMEHUG” with proven, longstanding techniques, Forest Blizzard consistently evolves its tactics to stay ahead of defenders. Their previous and current campaigns highlight both their technological sophistication and their willingness to revisit classic attack methods even after public exposure, underscoring the ongoing risk posed by this actor to organizations worldwide.

One of Forest Blizzard’s primary activities is email collection, particularly targeting organizations in the logistics, defense and government sectors. For instance, in 2021, this actor was observed conducting systemic brute-force password sprayingagainst Microsoft services to gain unauthorized access to email accounts. In 2023, as multi-factor authentication became more widely adopted, Forest Blizzard shifted to Spear phishing attacks that redirected victims to compromised routers to harvest NTLM hashes. While this approach likely yielded better results, it required significantly more resources than password spraying. In other cases, they directly targeted the email server itself to deploy tools such as “NotDoor,” which deepen their access into the systems.

To achieve their goals, Forest Blizzard reverted to an established technique that exploits a fundamental internet technology: DNS. Instead of pursuing new zero-day vulnerabilities, they leveraged weaknesses in the DNS ecosystem which, despite being well documented, remain challenging to address on a global scale. By implementing DNS hijacking at a highly localized level, they managed to avoid detection—unlike a previous actor—while still fulfilling their objectives.

In this post, we cover:

• How the botnet expanded via exposed router/firewall interfaces
• How DNS hijacking enabled AitM and OAuth token collection
• What defenders should monitor and mitigation steps to take

Exploitation and expansion of the botnet

During our investigation, we discovered two distinct activity clusters associated with the campaign. The first cluster we refer to as the “expansion team.” We assessed that this was a distinct cluster of activity focused on exploiting new devices and bringing them under the control of the threat actor by targeting a large pool of networking equipment via common web interface ports. We suspect the actor attempted to exploit CVEs associated with vulnerabilities in the web-interface on TP-Link and MikroTik routers. After targeted devices made initial communication with Forest Blizzard infrastructure, we subsequently observed a volume of data transfer, which denotes the changes made by the actor.

We observed a similar pattern of activity stemming from the same cluster to networking equipment that was exposed to the internet, such as enterprise-grade firewalls like Fortinet. Analysis revealed these to be older models and thus we suspect that they were vulnerable to known CVEs. We also observed connections to smaller-brand firewall products such as Nethesis. We suspect that these devices were targeted opportunistically because they are not connected to any of the sectors listed in the Joint Cybersecurity Advisory on GRU cyber campaigns—including government, defense contractors, IT providers, political organizations, energy and logistics.

As the targeted routers in the image above were infected by the expansion team, their DNS settings were modified to communicate with actor-controlled VPS nodes acting as DNS resolvers.

How DNS hijacking enabled Attacker-in-the-Middle token theft

One of the most concerning techniques associated with this campaign was the harvesting of OAuth tokens from workstations on the adjacent LAN of a compromised router. We assess that the actors did not find any vulnerabilities in the underlying authentication protocol. Instead, these authentication tokens were obtained through DNS hijacking coupled with an Attacker-in-the-Middle capability. We assess that the actors employed the following methodology:

1. The threat actors exploited the router to gain remote administrative access. Once access was obtained, the actor modified the default DNS settings on the router to point towards an actor-controlled Virtual Private Server (VPS).
2. DNS changes were then propagated to the workstations on the adjacent LAN via Dynamic Host Configuration Protocol (DHCP).
3. The actor operated a DNS server to behave like a typical recursive resolver, but when a targeted Fully Qualified Domain Name (FQDN) was queried, it was configured to provide a record back containing its own IP address instead of the correct address. The only interventions were triggered by domains associated with authentication-related services. If any other domain was requested, traffic passed directly through.
4. The actor ran a proxy service as the AitM that the end user was directed to via DNS. The only sign of this attack would be a pop-up warning about connecting to an untrusted source because of the “break and inspect".
5. If warnings were present and ignored or clicked through, the actor proxied requests to the legitimate services, collecting the data at the midpoint and collecting data associated with the targeted account by passing the valid OAuth token. This allowed the actor to break and inspect traffic and access authentication material such as Oauth tokens after completing the multifactor challenge.

Lumen identified the first AitM node at the IP address 64.120.31[.]96 in May 2025. Further analysis showed it began receiving inbound DNS requests on May 19, 2025, from a MikroTik router associated with the government of Afghanistan. This node continued receiving DNS requests from a second Afghan government entity, as well as a few Nethesis firewalls based in Italy, throughout November 2025.

Lumen then observed a second AitM node at the IP address 79.141.160[.]78, which became significantly more active on August 6, 2025. Interestingly, this was the day after the UK NCSC released its report documenting a new malware family dubbed Authentic Antics, which describes a Forest Blizzard-associated malware tool designed to “intercept and exfiltrate Microsoft Office account credentials and tokens.” This suggested that as one capability was disclosed, the actor immediately shifted to another to continue acquiring authentication material.

This second AitM node processed both standard DNS and DNS over TLS (DoT) requests as it functioned as a recursive resolver. This IP address, 79.141.160[.]78, was notable because at the time it was the only node in our telemetry with observed DoT activity. While the first AitM was regionalized in focus, the second node interacted with entities worldwide. We noted that most of the impacted routers appeared to be either MikroTik or TP-Link.

While this technique initially began as a targeted, bespoke capability, it proliferated in the second half of 2025 and the start of 2026. In a one-month snapshot from December 12, 2025, to January 13, 2026, we observed that over 290,000 distinct IP addresses sent at least one DNS request to the actor-managed DNS servers. However, when we filtered the list to IP addresses that had at least five interactions with the DNS server over a month, the list dropped to approximately 40,000. We would categorize these as low-confidence victims. Tightening the parameters to include only IP addresses with 10 observed interactions in a 30-day period, the number of moderate-confidence victims dropped to 18,000.

Victimology based upon global telemetry

Once Lumen identified the malicious AitM server, we used our global telemetry to look for outbound connections from AitM nodes to email services. We suspect that a connection to any of these services indicated a successful hijack of at least one account.

The initial analysis indicated that the victims included organizations operating their own email servers, as well as certain government agencies. These entities correlated to the ministries of foreign affairs and national law enforcement in certain North African, Central American and Southeast Asian countries. There was also a connection to a national identity platform in one European country.

Most victims were associated with third-party IT, hosting and smaller cloud service providers in Europe. However, it is difficult to know where the end user of these services resides. We also identified connections to various email services providers, both in the U.S. and across Europe. These connections indicate that individual accounts were compromised rather than any systemic compromise of the backend systems.

How enterprises can protect themselves

Forest Blizzard has updated its methods over the years, but its campaign principles and intelligence objectives remain constant, despite changes in email attack techniques. This threat actor has and almost certainly will continue to pursue this information in the future. Given their habit of adapting and continuing operations even after public exposure of their methods, we expect them to resume their activities by other means and will continue to track and observe them.

As our investigation progressed, we added IOCs to Lumen Defender^SM to protect our customers. We recommend that organizations in the verticals named in the Joint Cybersecurity Advisory implement hardening procedures, set up alerting and review incident response plans. We have not found any new exploits in this campaign. However, to protect your corporate resources and prevent your equipment from being compromised, we recommend that you:

• Implement certificate pinning where applicable for corporate managed devices, such as laptops and cell phones controlled via MDMs. This will generate an error when the actors attempt to perform “break and inspect” on the actor-procured VPSs.
• Create corporate policies to prevent successful attempts at password spraying. Microsoft provides guidance on this topic documented from a previous campaign.
• Set up and review successful account activity associated with VPS blocks.
• Patch all corporate systems to ensure they are protected from known CVEs, minimizing attack surfaces by limiting publicly exposed remote administration interfaces, as well as keeping routers and edge devices up to date.
• Remove all end-of-life equipment from both personal and corporate networks.

Analysis of the FrostArmada network was performed by Danny Adamitis with technical editing by Ryan English.

What to do next

• View current IOCs, which are continuously updated on our GitHub pageand continuously updated there.

We encourage the community to monitor and alert on these and any similar IoCs.

• Learn how we protect our customers with Lumen Defender^SM
• Understand modern cyberthreats and what their trajectories signal for the future in our first annual Lumen Defender Threatscape Report

If you would like to collaborate on similar research, please contact us on LinkedIn or X @BlackLotusLabs.

_{This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue. Services not available everywhere. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2026 Lumen Technologies. All Rights Reserved.}

Related resources