Black Lotus Labs researchers stated the group exploited known vulnerabilities in unpatched older router models before changing DNS settings on the devices (https://arstechnica.com/security/2026/04/russias-military-hacks-thousands-of-consumer-routers-to-steal-credentials/). Compromised routers were integrated into APT28 infrastructure; a subset functioned as proxies to reach government, foreign ministry, and law enforcement targets. The same actor is tracked as Pawn Storm, Sofacy Group, Sednit, Tsar Team, Forest Blizzard, and STRONTIUM and has conducted operations for at least two decades.

DNS lookups for selected domains, including Microsoft 365 services, were redirected so traffic passed through malicious servers controlled by the threat group before reaching legitimate destinations (Microsoft, cited by Black Lotus Labs). DHCP was used to propagate the altered DNS configurations to workstations connected to the affected routers. Black Lotus Labs noted APT28 combined newer tooling such as the LLM ‘LAMEHUG’ with previously exposed classic techniques.

The campaign matches documented APT28 tradecraft of router compromise for credential access and lateral movement, according to the primary Black Lotus Labs assessment published via Ars Technica. No additional sources were required to confirm the router count, affected vendors, or GRU linkage stated in the technical report.