Imagine you’re on your way to a new restaurant: you input the address into your maps app and click to start the directions. Everything seems fine, until you arrive at a completely different location – someone quietly hijacked your app. Most of the time it still takes you to the right place, but every so often it detours you to a different spot that pays the hijackers when you arrive.
The newest threat campaign uncovered by Infoblox Threat Intel does just that to your router and thus your internet connection. After the attackers compromise your router, you might enter the right web address, but someone else decides where you end up. Everyone on the Wi-Fi has the same experience.
This new research shows that this actor is quietly breaking into older routers and changing one crucial part: their DNS settings. This way, every device using the compromised router asks Aeza-hosted resolvers for directions, instead of the resolvers from the Internet Service Provider (ISP). From there, an HTTP-based Traffic Distribution System (TDS) fingerprints users and selectively routes them through adtech platforms that often lead to victimization.
What’s Happening Behind the Scenes
- The actor remotely compromises routers, especially older models, and changes their DNS settings. Every phone, laptop, smart or IoT device using those routers now relies on attacker-controlled DNS infrastructure by default. The scale is global with the researchers seeing evidence for activity in over three dozen countries.
- Shadow DNS hosted at Aeza
Instead of the ISP’s resolvers, compromised routers send all DNS queries to resolvers hosted in Aeza International, a so called “bulletproof” hosting company sanctioned by the U.S. Government in July 2025. These “shadow” resolvers usually answer big sites like Google truthfully, but are highly unpredictable for other domains, redirecting targeted users to the malicious TDS of the attackers. - Catching victims in TDS
Once traffic hits the TDS, users are fingerprinted and checked to confirm they came from a compromised router. When they pass these checks, they are redirected through affiliate marketing platforms and often to malicious content.
“Most people never think about who their router asks for directions on the internet—they just trust that the answer is right,” said Renée Burton, Vice President of Infoblox Threat Intel. “This campaign shows how dangerous it is when that trust is quietly hijacked: once attackers control DNS on the router, they gain a silent steering wheel for every internet connection for devices behind it and can turn ordinary browsing into a profitable detour.”
The practical fix is to upgrade the router to a modern one. On the organizational side, IT teams should treat DNS as critical security infrastructure by putting controls in place that can see and stop traffic heading into known bad resolvers and shadow networks.
