Sanctioned Bulletproof Host Linked to Hijacking of Old Home Routers

Legacy consumer routers remain a soft target because manufacturers often discontinue firmware updates after a few years. When a router’s DNS configuration is compromised, every device on the network inherits the malicious resolution, effectively turning a single vulnerable appliance into a gateway for widespread traffic manipulation. This attack vector is especially insidious because users see no visual cues; standard browsing appears normal while background requests are silently rerouted to hostile destinations.

The campaign’s infrastructure leveraged Aeza International, a Russian bullet‑proof hosting service sanctioned by the United States in July 2025. By hosting the first stage of the DNS redirection on a sanctioned platform, the operators insulated themselves from takedown efforts and law‑enforcement scrutiny. After confirming a victim’s router was compromised, the system funneled traffic through an HTTP‑based distribution layer that channeled users into advertising and affiliate networks, monetizing the hijack through click‑fraud and malicious payload delivery. This two‑stage approach demonstrates how cyber‑criminals blend geopolitical evasion tactics with profit‑driven models.

For consumers, the immediate remedy is straightforward: replace aging routers with models that receive regular security patches or flash supported firmware where possible. Enterprises should audit home‑office devices and consider DNS‑filtering solutions that can detect anomalous resolution patterns. The broader industry response may include tighter regulation of bullet‑proof hosting services and increased collaboration between security firms and ISPs to flag compromised DNS traffic. As the Internet of Things expands, ensuring that every network edge device maintains up‑to‑date security will be critical to thwarting similar large‑scale hijacking campaigns.