Infoblox Threat Intel uncovers a sophisticated campaign compromising home and office routers to redirect users through malicious hosting environments.
Cybersecurity researchers at Infoblox Threat Intel have exposed a quiet but massive campaign targeting the silent steering wheel of the internet: DNS settings. By compromising older router models across more than three dozen countries, attackers are rerouting entire networks of devices through a hidden infrastructure designed to profit from malicious detours.
The attack is deceptive because, to the user, the internet appears to be working normally until it doesn’t.
The attack lifecycle follows a precise, three-stage process that turns a standard home or office Wi-Fi connection into a tool for cybercriminals.
1. Router Compromise
Attackers target vulnerabilities in older router models to gain administrative access. Once inside, they change the router’s DNS settings. Instead of using the trusted resolvers provided by an Internet Service Provider (ISP), every device on that Wi-Fi, from smartphones to IoT sensors, is forced to use attacker-controlled resolvers.
2. Redirection via Aeza International
The hijacked DNS queries are sent to shadow resolvers hosted by Aeza International. This bulletproof hosting provider was sanctioned by the U.S. Government in July 2025 for facilitating cybercrime. These resolvers act selectively: they provide “honest” answers for major sites like Google to avoid suspicion, but lie about other domains to steer traffic toward the attackers’ infrastructure.
3. The TDS Filter
Traffic eventually hits an HTTP-based Traffic Distribution System (TDS). The TDS fingerprints the user’s device to confirm they are coming from a compromised router. If the victim passes the check, they are funneled through adtech platforms, affiliate marketing schemes, or directly into malicious sites designed for credential theft and malware delivery.
The scale of this campaign is significant, with evidence of activity observed in over 36 countries. Because the compromise happens at the router level, traditional endpoint security on a phone or laptop may not immediately detect that the underlying map of the internet has been swapped.
“Most people never think about who their router asks for directions on the internet; they just trust that the answer is right. Once attackers control DNS on the router, they gain a silent steering wheel for every internet connection for devices behind it.” — Renée Burton, VP of Infoblox Threat Intel
Infoblox researchers emphasize that the most effective defense is a combination of hardware hygiene and infrastructure monitoring.
- The most practical fix is to upgrade to a modern router. Older models often lack the security patches necessary to block the initial compromise.
- IT teams must treat DNS as critical security infrastructure. Relying on default settings is no longer sufficient; teams should implement DNS security controls that can identify and block traffic heading toward known bad resolvers and shadow networks.
- Security stacks should be configured to detect unauthorized changes in DNS behavior across the enterprise perimeter.
