Fancy Bear Hijacks Home Routers and Cloud APIs to Build Invisible Attack Network
Russia's APT28 has shifted to hijacking consumer routers and abusing cloud storage APIs to create a stealthy, disposable attack infrastructure that blends into normal internet traffic.
One of the most persistent hacking groups in the world has found a new way to stay hidden. The threat actor known as Fancy Bear, formally tracked as APT28 and attributed to Russia's military intelligence unit GRU Unit 26165, has been quietly shifting how it runs cyberattack operations. Instead of relying on traditional infrastructure, the group now hijacks home routers and consumer devices to build a shadow network nearly impossible to trace.
For over two decades, APT28 has targeted government bodies, defense organizations, diplomatic missions, and critical infrastructure, focusing heavily on NATO member states and Ukraine. The group operates under more than 30 known aliases, including Forest Blizzard, Sofacy, Pawn Storm, and Sednit. What makes its latest campaign especially alarming is how invisible it has become, with attack traffic blending into normal internet activity.
Analysts from Sekoia, who have been tracking APT28 for several years, identified a significant structural shift in how the group manages its attack infrastructure. Sekoia said in a report shared with Cyber Security News that APT28 moved large portions of its operations onto compromised SOHO routers and edge devices, replacing rented virtual private servers it previously used as command centers. The scale of this infrastructure is striking. At its peak in December 2025, researchers observed more than 18,000 unique IP addresses across 120 countries communicating with APT28-controlled servers. Around 200 organizations and 5,000 consumer devices were affected, with victims coming primarily from foreign ministries, law enforcement agencies, and IT hosting providers.
APT28's tradecraft has also evolved sharply. The group shifted from a stable malware framework to deploying short-lived, single-purpose tools discarded the moment they are exposed. It also experimented with an AI-driven infostealer called LameHug, which queries a live AI model to generate attack commands on the fly. This blend of disposable tools, cloud abuse, and router hijacking makes APT28 one of the most capable threat actors active today.
The most significant tactical shift is APT28's takeover of consumer-grade routers. The group repurposed a criminal botnet built with the MooBot malware, seizing control of hundreds of Ubiquiti EdgeRouters in April 2022. The botnet served three purposes: relaying stolen authentication hashes toward Microsoft Exchange, hosting phishing pages on residential IP addresses, and running custom Python scripts on the hijacked routers. The FBI's Operation Dying Ember dismantled this network in 2024. Even after the takedown, more than 350 datacenter servers were still calling back to attacker infrastructure, showing just how hard this kind of botnet is to fully uproot.
In 2026, APT28 broadened the same approach with a campaign called FrostArmada, this time targeting MikroTik and TP-Link routers. The attackers rewrote DNS settings to redirect traffic through their own controlled servers. Every device on affected networks would unknowingly funnel its login requests through APT28 nodes, enabling silent theft of credentials and OAuth tokens for services like Microsoft 365.
Beyond router hijacking, APT28 routes malware communications through legitimate cloud platforms to avoid detection. In Operation Phantom Net Voxel, the group deployed a custom C++ backdoor called BeardShell, which uses a cloud storage API as its command channel. To anyone monitoring the traffic, it looks like a connection to a trusted cloud service. The group can swap cloud providers easily. Researchers observed the same attack chain reused with a different file-hosting platform months later, confirming that rotating the cloud backend is now routine. A keylogger called Slimagent, found on the same operator infrastructure, was linked to direct code lineage from X-Agent, APT28's signature implant used over a decade ago.
To reduce exposure, organizations should keep router firmware updated, change default credentials, and disable unused remote management features. Enterprises using cloud services should enforce phishing-resistant multi-factor authentication and regularly audit OAuth token permissions. The FBI's Internet Crime Complaint Center published a public alert urging home users and small businesses to review router settings after FrostArmada was disclosed.