This threat involves a shadow DNS network combined with an HTTP-based traffic distribution system (TDS) hosted within Aeza International, a bulletproof hosting provider under sanctions. The attackers compromise routers by changing their DNS settings to point to shadow DNS resolvers controlled by the adversary. These resolvers selectively alter DNS responses, redirecting users to malicious or unwanted content, primarily for affiliate marketing revenue. The TDS uses advanced DNS manipulation techniques to evade detection by security tools, including clever DNS tricks that obscure malicious activity. Since mid-2022, this system has been operational, targeting network devices by hijacking DNS resolution paths. The compromised routers become a vector for adversary-in-the-middle (MitM) attacks, allowing interception and manipulation of network traffic beyond simple ad injection. The threat actor’s control over DNS resolution can undermine confidentiality and integrity of communications, potentially enabling further exploitation or data exfiltration. Indicators of compromise include specific IP addresses (e.g., 89.208.107.49, 104.238.29.136) and domains (e.g., gettranslate.ir, jackpotshop.life). Although no CVE or known exploits are currently reported, the threat’s persistence and stealthy nature make it a medium-severity concern. The use of a sanctioned bulletproof host complicates takedown efforts and attribution. The campaign’s focus on affiliate marketing suggests financial motivation but does not preclude escalation to more damaging activities.

For European organizations, the compromise of routers and DNS infrastructure can lead to significant risks including interception of sensitive data, redirection to phishing or malware sites, and disruption of normal network operations. The ability to manipulate DNS responses undermines trust in network communications and can facilitate further attacks such as credential theft, malware deployment, or lateral movement within corporate networks. Organizations with large numbers of remote or home office users relying on consumer-grade routers are particularly vulnerable. The threat could degrade availability by redirecting or blocking legitimate services, impacting business continuity. Additionally, the use of a bulletproof hosting provider complicates mitigation and attribution efforts, potentially prolonging exposure. Financially motivated actors may escalate tactics, increasing the risk of fraud or data compromise. The medium severity rating reflects the threat’s potential to impact confidentiality, integrity, and availability, especially if combined with other attack vectors.

1. Conduct comprehensive audits of all network routers, especially consumer and SMB devices, to verify DNS settings have not been altered. 2. Enforce strong authentication and firmware updates on routers to prevent unauthorized access and exploitation. 3. Implement DNS monitoring solutions to detect anomalous DNS queries and responses, focusing on shadow DNS resolvers and suspicious domains/IPs listed in threat intelligence feeds. 4. Block or restrict network traffic to and from known malicious IP addresses and domains associated with Aeza International infrastructure. 5. Use DNS security extensions (DNSSEC) where possible to validate DNS responses and reduce the risk of hijacking. 6. Educate users on risks of compromised DNS and encourage reporting of unusual network behavior. 7. Deploy network segmentation to limit exposure of critical systems to compromised devices. 8. Collaborate with ISPs and security communities to share intelligence and coordinate response efforts against bulletproof hosting abuse. 9. Regularly review and update incident response plans to include DNS hijacking scenarios. 10. Consider deploying DNS filtering services that can detect and block traffic to malicious destinations.