The majority of internet users rely on their routers to properly route traffic, never realizing that the web's very signposts could be manipulated. By infiltrating susceptible routers and changing their DNS settings, a highly skilled "shadow" network has been covertly taking over home internet connections. These compromised devices send all web traffic queries to malicious resolvers hosted by Aeza International, a bulletproof hosting company previously sanctioned by the US government, rather than using the servers of a legitimate service provider.

Threat actors can selectively control which websites users can access thanks to this silent redirection, frequently directing them toward malicious scams or fraudulent advertising platforms. While well-known websites like Google frequently resolve correctly to allay suspicions, certain targets set off a convoluted chain of redirections.

Before sending the last payload, the victim's device is fingerprinted by a secondary HTTP-based Traffic Distribution System (TDS). After linking sporadic user reports of "insane" internet behavior with unusual DNS patterns, Infoblox analysts discovered this extensive campaign. They noticed that the threat actors primarily target older router models, which drastically changes the trust chain for all of the home network's devices.

Victims frequently assumed that their computers, rather than their routers, were to blame for strange problems, such as persistent browser redirects or an inability to access Google Sheets. The Method of EDNS0 Evasion This campaign's covert evasion strategy is its most technically fascinating feature. Because the rogue servers would not respond to standard queries, security analysts first had difficulty reproducing the malicious DNS responses.

Analysts made a significant discovery when they found that the shadow resolvers only react when the Extension Mechanisms for DNS (EDNS0) protocol is specifically turned off. An outline of Aeza International's two-part TDS (Source: Infoblox) Standard security scanning tools automatically include EDNS0 because it is a standard protocol extension that practically all contemporary legitimate resolvers use to handle larger packet sizes and security features. The attackers successfully concealed their infrastructure from automated scans and the majority of security researchers by setting up their servers to reject these common queries.

The malicious network was able to function covertly for years thanks to this straightforward but efficient filter, providing researchers with accurate IP addresses while sending hijacked responses to real victims via outdated, non-compliant hardware or particular setups.

Users must check router configurations for unauthorized DNS settings in order to lessen this risk. To avoid initial compromise, it is essential to update router firmware to the most recent versions and replace outdated hardware that is no longer receiving security patches.