Imagine you’re on your way to a new restaurant: you input the address into your maps app and click to start the directions. Everything seems fine, until you arrive at a completely different location – someone quietly hijacked your app. Most of the time it still takes you to the right place, but every so often it detours you to a different spot that pays the hijackers when you arrive.
The newest threat campaign uncovered by Infoblox Threat Intel does just that to your router and thus your internet connection. After the attackers compromise your router, you might enter the right web address, but someone else decides where you end up. Everyone on the Wi-Fi has the same experience.
This new research shows that this actor is quietly breaking into older routers and changing one crucial part: their DNS settings. This way, every device using the compromised router asks Aeza-hosted resolvers for directions, instead of the resolvers from the Internet Service Provider (ISP). From there, an HTTP-based Traffic Distribution System (TDS) fingerprints users and selectively routes them through adtech platforms that often lead to victimization.
What’s Happening Behind the Scenes
Compromised routers all around the globe
The actor remotely compromises routers, especially older models, and changes their DNS settings. Every phone, laptop, smart or IoT device using those routers now relies on attacker-controlled DNS infrastructure by default. The scale is global with the researchers seeing evidence for activity in over three dozen countries.
Shadow DNS hosted at Aeza
Instead of the ISP’s resolvers, compromised routers send all DNS queries to resolvers hosted in Aeza International, a so called “bulletproof” hosting company sanctioned by the Australian, UK and U.S. Governments in July 2025. These “shadow” resolvers usually answer big sites like Google truthfully, but are highly unpredictable for other domains, redirecting targeted users to the malicious TDS of the attackers.
Catching victims in TDS
Once traffic hits the TDS, users are fingerprinted and checked to confirm they came from a compromised router. When they pass these checks, they are redirected through affiliate marketing platforms and often to malicious content.
“Most people never think about who their router asks for directions on the internet—they just trust that the answer is right,” said Renée Burton, Vice President of Infoblox Threat Intel. “This campaign shows how dangerous it is when that trust is quietly hijacked: once attackers control DNS on the router, they gain a silent steering wheel for every internet connection for devices behind it and can turn ordinary browsing into a profitable detour.”
Renée Burton, Vice President of Infoblox Threat Intel
The practical fix is to upgrade the router to a modern one. On the organisational side, IT teams should treat DNS as critical security infrastructure by putting controls in place that can see and stop traffic heading into known bad resolvers and shadow networks.
For more information and details, read our blog post.
About Infoblox Threat Intel
Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet’s inner workings allows us to track down threat actors that others can’t see. We’re proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.
