Infoblox Research: How DNS Hijacking Turns Home Routers Into Attack Infrastructure

Written By The Source Code Editorial

In most homes and small offices, the router is treated like plumbing, which means it only gets attention when it fails loudly enough to stop the water. Infoblox Threat Intel’s new research shows why that mental model is now a liability, because attackers have figured out how to make the connection keep working while quietly changing what “working” means.

The trick is to avoid the kinds of symptoms people associate with cyberattacks, because disruption creates scrutiny, and scrutiny creates remediation. Instead, the user experience remains mostly normal, while the attacker gains a subtle form of control that is more commercially useful than a dramatic one, since it can be monetised repeatedly without forcing a confrontation with the victim.

The compromise point is not your laptop, it is the box everyone forgets to update

Infoblox says the actor is remotely compromising routers, with a bias toward older models, and then changing one configuration that sits underneath everything else: the DNS resolver settings.

That matters because DNS is not an optional convenience. It is the system that translates a human name into a device should connect to, which is why security firms describe DNS hijacking as a redirection attack that can be performed by taking over routers, not just by infecting endpoints.

Once the router’s DNS settings are altered, every device on that Wi-Fi inherits the change automatically, including phones, laptops, smart TVs, and the growing pile of household IoT hardware that often has even less security visibility than the router itself. This is what makes the attack feel uncanny to end users, because nothing appears “installed” on their device, while their browsing outcomes begin to shift anyway.

The shadow DNS layer is hosted in a part of the internet designed to absorb abuse

Infoblox reports that compromised routers are being pushed away from ISP resolvers and toward attacker-controlled resolvers hosted at Aeza infrastructure.

That hosting choice is not a neutral implementation detail. The US Treasury’s Office of Foreign Assets Control announced sanctions on Aeza Group on July 1, 2025, describing it as a bulletprohat supported cybercriminal activity targeting victims in the United States and worldwide, which is precisely the type of infrastructure environment that allows malicious services to stay online when ordinary providers would terminate them.

Australia’s national cyber agency describes bulletproof hosting as infrastructure leased to cybercriminals that enables malicious operations on the internet, while resisting normal takedown pressure, and that framing helps explain why a DNS manipulation campaign that wants longevity would route through this kind of provider rather than mainstream cloud.

The design is not to lie all the time, because constant lying gets noticed

A crude DNS hijack that breaks popular services gets detected quickly, because victims complain and troubleshooting begins. Infoblox describes a more disciplined strategy in which big-name domains are typically resolved truthfully, while other domains and contexts produce unpredictable answers that route selected users into the attacker’s system.

This selective behaviour is the operational key to the entire scheme, because it turns DNS into a steering mechanism rather than a blunt weapon. The user keeps trusting the connection precisely because most of their daily internet use continues to behave normally, and that trust is the cover under which the attacker can perform profitable detours.

Traffic Distribution System that behaves like adtech, not like malware

Infoblox says that once a user’s traffic is pushed toward the actor’s infrastructure, it is handled by an HTTP-based Traffic Distribution System, or TDS, that fingerprints users and checks whether they appear to be coming from a compromised router before deciding what to do next.

This is where the campaign starts to look less like classic “intrusion” and more like the economics of traffic brokerage, because fingerprinting is a way to protect the funnel from being measured, analysed, or drained by security researchers, and also a way to optimise revenue by sending different users down different monetisation paths.

Infoblox’s description of the downstream routing is telling, because it runs through affiliate marketing and adtech platforms that “often lead to victimization,” which is a polite way of describing an ecosystem where scams, fake downloads, and malicious payloads are treated as interchangeable inventory so long as someone pays for conversion.

The human experience is confusion, not crisis, which is exactly why the campaign scales

If an employee clicks a link and lands somewhere strange, the likely explanation in most workplaces is user error, browser weirdness, or the general grime of the modern web, and that social reflex becomes part of the attacker’s defence. The ambiguity prevents escalation, and the absence of a clear “incident moment” prevents the kind of coordinated response that ransomware and destto trigger.

“Most people never think about who their router asks for directions on the internet—they just trust that the answer is right,” said Renée Burton, Vice President of Infoblox Threat Intel, arguing that router-level DNS control becomes “a silent steering wheel” for every device behind it.

The strategic point is that the attacker is not trying to defeat the user’s judgement in a single dramatic moment, because they are trying to live inside the background assumptions that users and small organisations rarely audit.

The global footprint is a byproduct of ageing infrastructure and uneven replacement cycles

Infoblox says it observed evidence of activity in more than three dozen countries, and that spread is consistent with a world in which consumer netwon place for years, especially in rental properties, small businesses, and price-sensitive markets where replacement is delayed until a device fails completely.

This is also why router compromise campaigns repeatedly reappear in different forms, because the supply of under-maintained edge devices is continually replenished by economic reality rather than by technical ignorance. People do not patch routers because the incentives are weak, the interfaces are confusing, and the perceived downside of doing nothing is low until the day it is not.

Infoblox’s practica is straightforward, because the vulnerable surface here is mostly obsolete hardware: upgrade the router to a modern model, and verify that DNS settings point to trusted resolvers rather than unknown infrastructure.

For organisations, the implication is broader than consumer advice, because DNS has to be treated as security infrastructure, not merely a networking utility, which means monitoring resolver choices, flagging traffic to known malicious DNS destinations, and building visibility for the kind of silent redirection that will never show up as an endpoint alert.

What this story is really about is power shifting downward into invisible layers

Infobloxust another reminder that “routers can be hacked,” because everyone already knows that in theory. The real lesson is that the internet’s control points are moving toward layers that users rarely inspect, while the monetisation of crime is moving toward systems that resemble advertising funnels more than they resemble traditional malware operations.

When DNS yer and bulletproof hosting become the platform that keeps that steering layer online, the ordinary user stops being the target in the old-fashioned sense, and becomes the raw material of a traffic business that is designed to operate quietly across borders for as long as the underlying hardware remains neglected.

The Source Code Editorial
Previous

Sanjiva Weerawarana and the Refusal to Be Peripheral
Next

DDoS attacks doubled in 2025 as assault sizes spiral to record levels