TelcoNews US - Telecommunications news for ICT decision-makers
United States

Guides

#
5g & beyond
#
internet of things
#
software-defined networking
#
space technologies
#
unified communications

Search

Dr. ren%c3%a9e burton infoblox 1
#
Firewalls
#
Network Security
#
IoT Security

Global router hijack campaign silently reroutes DNS

Thu, 5th Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Infoblox Threat Intel has identified a campaign that compromises Wi‑Fi routers and changes their DNS settings, routing users' internet lookups through attacker-controlled infrastructure and on to a traffic distribution system that can direct victims towards scams and other malicious content.

The research describes attackers gaining remote access to routers, with a focus on older models, and then modifying the configuration that determines which DNS resolvers the device uses. DNS, or the Domain Name System, translates website names into the numerical addresses needed to connect online. Once altered at the router level, the setting applies to every device connected to that network.

Router compromise

Infoblox said the actor "quietly" breaks into routers and makes a single change with wide impact. Phones, laptops, smart TVs and other connected devices then send DNS queries to infrastructure controlled by the attacker rather than to resolvers provided by an internet service provider.

The activity appears international in scope. Researchers said they have seen evidence across more than three dozen countries, suggesting the campaign relies on broad scanning and opportunistic compromise rather than a narrow set of targets.

The modified routers send DNS queries to resolvers hosted at Aeza International. Infoblox described Aeza as a "bulletproof" hosting company. Aeza has been sanctioned by the Australian, UK and US Governments, according to the research.

Shadow resolvers

The campaign uses what Infoblox referred to as "shadow" DNS resolvers. These systems often respond correctly for widely used services, which can reduce the chance of the change being noticed by a victim. For other domains, responses can vary and may direct users to attacker infrastructure.

Infoblox said the actor's approach centres on redirecting selected users into an HTTP-based Traffic Distribution System. A TDS is commonly used to route web traffic based on a set of rules. In criminal operations, it can act as a gatekeeper that decides which users see benign content and which are sent elsewhere.

After a user's traffic reaches the TDS, the system fingerprints the device and checks whether the request originated from a compromised router, the company said. If the checks pass, the victim is redirected through affiliate marketing platforms and "often" on to malicious content, according to the research.

The technique is designed to keep the initial compromise out of sight. A router owner may continue to reach popular websites without interruption. The redirection can also be selective, which can complicate efforts by defenders to reproduce behaviour and confirm an incident.

"Most people never think about who their router asks for directions on the internet-they just trust that the answer is right," said Renée Burton, Vice President of Infoblox Threat Intel, Infoblox. "This campaign shows how dangerous it is when that trust is quietly hijacked: once attackers control DNS on the router, they gain a silent steering wheel for every internet connection for devices behind it and can turn ordinary browsing into a profitable detour."

Mitigation steps

Infoblox recommended upgrading older routers as a practical fix. Ageing consumer devices can carry unpatched vulnerabilities, and may also run with default credentials or outdated remote management settings that increase exposure to compromise.

For organisations, the company said IT teams should treat DNS as critical security infrastructure. That includes putting controls in place that can identify and block traffic heading to "known bad resolvers and shadow networks".

The findings add to a growing body of reporting on the abuse of DNS configuration as a foothold for wider fraud and malware distribution. By shifting control at the router level, attackers gain leverage over multiple users and devices in a household or small business without needing to compromise each endpoint individually.

Infoblox said it plans to share further information and details about the campaign in its own research output.

Related stories
Ericsson unveils 5G in-vehicle router for fleets & RTK
Most homes never change router passwords, guide warns
Submer buys Radian Arc to build sovereign telco AI cloud
TCL unveils Milan showcase for Milano Cortina 2026
Myriota debuts AssetHawk satellite tracker for remote assets

Top stories

Netmore unveils Pulse partner push for global IoT scale
Viasat survey shows surge in industrial D2D IoT demand
StarHub taps Totogi AI to boost enterprise sales deals
Hypersonix secures NASA slot for debut DART AE flight
Atombeam & Trilliant boost smart grid data traffic