Infoblox Threat Intel Uncovers Large-Scale DNS Hijacking Targeting Vulnerable Routers Worldwide.
New research from Infoblox Threat Intel has uncovered a stealthy cyber threat campaign in which attackers compromise internet routers and silently redirect DNS traffic through attacker-controlled infrastructure. By manipulating the Domain Name System—the internet’s equivalent of GPS—threat actors are able to reroute users to malicious destinations without raising suspicion.
How DNS Hijacking Turns Normal Browsing into a Hidden Threat
Imagine entering a destination into a navigation app and trusting it to guide you correctly—only to be redirected elsewhere without realizing it. Most of the time, you still arrive where you expect, but occasionally you’re diverted to a location that benefits someone else financially.
This is precisely how the newly discovered router DNS hijacking campaign operates.
Once attackers gain access to a router, they alter its DNS configuration. As a result, every device connected to that network—laptops, smartphones, smart TVs, and IoT devices—unknowingly relies on malicious DNS resolvers instead of those provided by the internet service provider (ISP). Even when users type in legitimate URLs, attackers quietly decide where the traffic ultimately goes.
Behind the Attack: Compromised Routers and Shadow DNS Infrastructure
Global Router Compromise at Scale
Infoblox researchers observed attackers remotely exploiting older and unpatched routers across the globe. Evidence of this activity spans more than three dozen countries, highlighting the widespread risk posed by outdated network hardware and weak router security.
Shadow DNS Hosted by Aeza
Instead of routing DNS queries to trusted ISP resolvers, compromised routers forward all requests to Aeza International–hosted DNS servers. Aeza, a known “bulletproof hosting” provider, was sanctioned by the U.S. government in July 2025.
These attacker-controlled DNS resolvers typically return legitimate responses for well-known domains like Google, helping the attack remain invisible. However, for selected domains, they unpredictably redirect traffic to a malicious Traffic Distribution System (TDS).
Traffic Distribution System (TDS) and Victim Redirection
Once traffic reaches the TDS, users are fingerprinted to confirm they originated from a compromised router. Verified victims are then selectively routed through adtech and affiliate marketing platforms, frequently leading to malicious websites, scams, or further exploitation.
Why Router DNS Attacks Are Especially Dangerous
“Most people never think about who their router asks for directions on the internet—they just trust that the answer is right,” said Renée Burton, Vice President of Infoblox Threat Intel. “This campaign shows how dangerous it is when that trust is quietly hijacked. Once attackers control DNS at the router level, they gain a silent steering wheel for every device behind it.”
Because DNS operates in the background, these attacks are difficult to detect, allowing threat actors to monetize traffic, distribute malware, or enable broader cybercrime operations without alerting users.
For individuals, the most effective defense is to replace outdated routers with modern, regularly updated models and ensure firmware is kept current.
For organizations, DNS security must be treated as critical infrastructure. IT and security teams should deploy controls capable of detecting and blocking traffic to known malicious DNS resolvers, shadow DNS networks, and sanctioned hosting providers.
By securing DNS at both the endpoint and organizational level, defenders can prevent attackers from quietly taking control of the internet’s navigation system—and protect users from being unknowingly led into harmful digital detours.
