Analysts from Infrawatch are actively collecting evidence against burglars from APT28.
A home router rarely seems to be a weak link until traffic begins to quietly redirect and replace the usual routes on the network. Against this background, Inflawatch has launched a free online service that helps to quickly check whether the router could get into the infrastructure associated with the APT28 group and their botnet FrostArmada.
The service is available on a separate Infrawatch page and accepts a public IP address or range of addresses in CIDR format. After the inspection, the site shows whether the address was met in the dataset related to the warning of the British National Cyber Security Center dated April 7, 2026. The company immediately stipulates that the tool does not guarantee one hundred percent accuracy, and the data set itself is updated every hour.
The reason for the launch of the service was the disclosure of the scheme in which APT28 used vulnerable routers to intercept DNS queries and intermediary attacks. The British NCSC reported that the attackers changed the DNS settings and redirected traffic through controlled nodes to intercept passwords and authentication tokens. U.S. agencies have also linked the campaign to a network of hacked home and office routers, which was recently liquidated by law enforcement officers.
Infrawatch separately indicates that it revealed about 18.6 thousand likely victims of the campaign. According to Black Lotus Labs, the FrestArmada network at its peak covered about 18 thousand devices in 120 countries and was used in the interests of Forest Blizzard, under which APT28 is also known. In practice, the new service gives home routers and small networks a quick way to understand whether the device requires urgent adjustment checking and protection updates.
A home router rarely seems to be a weak link until traffic begins to quietly redirect and replace the usual routes on the network. Against this background, Inflawatch has launched a free online service that helps to quickly check whether the router could get into the infrastructure associated with the APT28 group and their botnet FrostArmada.
The service is available on a separate Infrawatch page and accepts a public IP address or range of addresses in CIDR format. After the inspection, the site shows whether the address was met in the dataset related to the warning of the British National Cyber Security Center dated April 7, 2026. The company immediately stipulates that the tool does not guarantee one hundred percent accuracy, and the data set itself is updated every hour.
The reason for the launch of the service was the disclosure of the scheme in which APT28 used vulnerable routers to intercept DNS queries and intermediary attacks. The British NCSC reported that the attackers changed the DNS settings and redirected traffic through controlled nodes to intercept passwords and authentication tokens. U.S. agencies have also linked the campaign to a network of hacked home and office routers, which was recently liquidated by law enforcement officers.
Infrawatch separately indicates that it revealed about 18.6 thousand likely victims of the campaign. According to Black Lotus Labs, the FrestArmada network at its peak covered about 18 thousand devices in 120 countries and was used in the interests of Forest Blizzard, under which APT28 is also known. In practice, the new service gives home routers and small networks a quick way to understand whether the device requires urgent adjustment checking and protection updates.