SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Moody smart home night wifi router dark web online fraud net
#
Firewalls
#
Network Security
#
IoT Security

Global router hijack uses rogue DNS to monetise web

Wed, 4th Feb 2026
Author image
By Mark Tarre, News Chief

Infoblox has identified a campaign that compromises home and small office routers and alters their DNS settings, which changes how devices reach websites and can route users through malicious infrastructure.

The company said the activity targets older router models and affects every device connected behind a compromised router, including phones, laptops, smart home products and other internet-connected devices. Infoblox described the operation as global, with evidence of activity in more than three dozen countries.

Router compromise

Infoblox said the actor remotely breaks into routers and changes DNS settings. DNS translates human-readable domain names into network addresses. Most users rely on DNS resolvers provided by their internet service provider, or by a public DNS service.

In this campaign, Infoblox said compromised routers send DNS queries to attacker-controlled resolvers instead of the ISP's resolvers. The company described these as "shadow" resolvers.

Infoblox said the DNS infrastructure used in the campaign sits on resolvers hosted at Aeza International. It referred to Aeza International as a "bulletproof" hosting company that the US Government sanctioned in July 2025.

According to Infoblox, the shadow resolvers often return correct results for major sites such as Google, but behave unpredictably for other domains. Infoblox said the resolvers redirect selected users towards a malicious traffic distribution system operated by the attackers.

Traffic routing

Infoblox said the attackers use an HTTP-based traffic distribution system, or TDS. The company said the system fingerprints users and checks whether their traffic came from a compromised router.

Infoblox said that once users pass these checks, the system redirects them through affiliate marketing platforms. It said this redirection often leads to malicious content and subsequent victimisation.

Infoblox framed the campaign as a way to monetise ordinary web browsing by inserting additional routing steps and selective redirection. It said the routing affects all users on the same Wi‑Fi network because the attacker changes settings at the router level.

Security implications

DNS manipulation remains a recurring feature of cybercrime because it changes where users land even when they type the correct web address. A compromised resolver can also steer security tools and users away from legitimate destinations and towards lookalike sites or malicious downloads.

Infoblox said the actor's approach reduces the chance of immediate detection because many popular domains continue to resolve as expected. It said the campaign only diverts some traffic and only for certain domains or users.

"Most people never think about who their router asks for directions on the internet-they just trust that the answer is right," said Renée Burton, Vice President of Infoblox Threat Intel, Infoblox. "This campaign shows how dangerous it is when that trust is quietly hijacked: once attackers control DNS on the router, they gain a silent steering wheel for every internet connection for devices behind it and can turn ordinary browsing into a profitable detour," added Burton.

Recommended actions

Infoblox said users should upgrade older routers to modern devices. It linked the campaign to the targeting of older models, which often lack current security controls and may no longer receive vendor updates.

For organisations, Infoblox said IT teams should treat DNS as critical security infrastructure and put controls in place that detect and block traffic to known malicious resolvers and shadow networks.

The campaign adds to a wider set of risks connected to consumer-grade networking equipment. Routers often sit at the edge of home and small business networks, and they route all local devices through a single point of control. Attackers who gain access can influence both destination selection and security visibility at scale across every connected endpoint.

Infoblox did not name the actor behind the campaign in its disclosure and did not quantify the number of devices affected. It said researchers observed evidence of activity in more than three dozen countries and described the operation as ongoing.

Related stories
AI-fuelled supply chain cyber attacks surge in Asia-Pacific
AI drives shift to persistent, low‑level cyber conflict
Xiid & Cytex link AI governance with zero trust access
UK CIOs struggle to govern surge in business AI agents
AI romance scams surge on UK dating apps, says study

Top stories

Orient hit by supply strains, wins new digital deals
QSIC boosts global in-store media reliability with Datadog
Active exploitation seen in BeyondTrust access flaw
OpenAI unveils Lockdown Mode to counter prompt attacks
Check Point unveils four-pillar AI security strategy