For more than a year, a Russian spy group has been secretly spying on internet traffic from all over the world This article explores operation masquerade apt28. . The targets are the ministries of foreign affairs and national law enforcement agencies in North Africa, Central America, and Southeast Asia.
The U.S. Justice Department announced a major operation called "Operation Masquerade" on April 7. Its goal was to stop APT28's campaign that was affecting the United States. In December 2025, Black Lotus Labs found 18,000 different IP addresses from at least 120 countries that were connecting to the attackers' network infrastructure. Microsoft said that in the last 12 months, more than 200 organizations and more than 5,000 consumer devices were affected.
The hackers went after known weaknesses that let them get into router interfaces.
For example, one bug they looked for was a medium-severity information disclosure issue that affected TP-Link devices and didn't need authentication to be used. The only thing these people are doing is changing one setting in your DNS to send traffic to a server that they own and run. According to the Department of Justice's Operation Masquerade, APT28's activities go back "at least 2024.
""The next day, it completely changed its tactics, techniques, and procedures (TTPs) and started going after small office and home office (SOHO) routers.
He says, "It seems strange that some governments targeted by APT 28 would choose to use small office/home office routers," but he adds, "It's just about economics, convenience, and access." Listen to the latest episode of the ZeroOwl Confidential Podcast, "Security Bosses Are All In on AI: Why It's Happening Now." Reddit CISO Frederick Lee and Omdia analyst Dave Gruber talk about how AI and machine learning are being used in Security Operations Centers (SOCs) in this discussion.
