A sophisticated and long-running cyber campaign has been quietly exploiting vulnerabilities in home and business routers, creating a “shadow” network that intercepts internet traffic for financial gain. This operation, active since mid-2022, leverages compromised routers to reroute user DNS queries through rogue servers hosted by Aeza International, a sanctioned bulletproof hosting provider. The Domain Name System (DNS) acts as the internet’s phonebook, translating human-readable website names like “example.com” into machine-readable IP addresses. By hijacking this fundamental process, attackers have established a powerful adversary-in-the-middle position, allowing them to selectively redirect traffic to malicious destinations. For years, this financially motivated threat actor has managed to evade detection by carefully blending legitimate DNS resolutions with fraudulent ones, powering a complex affiliate marketing scam that funnels unsuspecting users toward advertisements, malware, or credential-stealing websites. The stealth of the operation lies in its subtlety; by not disrupting access to major sites like Google or Facebook, the attackers ensure the average user remains unaware that their connection has been compromised.
1. The Mechanics of a Clandestine Compromise
The attack chain begins with the systematic compromise of vulnerable routers, with a particular focus on older models that often lack up-to-date security patches. Once inside, the attackers alter the device’s core DNS settings, replacing the legitimate Internet Service Provider (ISP) resolvers with their own malicious servers hosted on the Aeza network. This single change effectively forces every device connected to that router—from computers and smartphones to smart home gadgets—to unwittingly use the rogue DNS system. This creates a powerful interception point where the actor can inspect and manipulate all outgoing DNS requests. To avoid raising alarms, the attackers employ a selective redirection strategy. Queries for major, high-traffic domains are resolved correctly, providing a seamless user experience. However, requests for specific, targeted domains, such as e-commerce or financial sites, are answered with IP addresses controlled by the attackers. Furthermore, they use an exceptionally short Time-to-Live (TTL) of 20 seconds on their DNS responses, forcing devices to re-query the malicious servers frequently and giving the attackers continuous, near-real-time control over the victim’s traffic flow.
A key element of this campaign’s longevity is its clever evasion of standard security scanning tools. The rogue DNS resolvers are configured to reject queries that include EDNS0 (Extension Mechanisms for DNS), a modern standard used by most automated analysis platforms. This rejection results in “malformed message” errors, effectively blinding scanners and causing them to report a non-functional server, while manual queries without EDNS0 succeed. This simple trick has been instrumental in keeping the infrastructure hidden from automated threat intelligence systems. When the servers detect too many queries from a single source, they begin returning a bogus IP address, 255.255.255.255, as another layer of anti-analysis defense. This technical subterfuge has tangible consequences, as evidenced by user reports emerging since early 2025. Victims have described bizarre network glitches, unexpected redirects to suspicious domains, and even device-level compromises like cryptocurrency miners being installed, all stemming from the compromised router that was silently poisoning their internet connection.
2. From Redirection to Monetization
The shadow DNS infrastructure serves as the foundational layer for a more intricate HTTP-based Traffic Distribution System (TDS), which allows for granular control over the monetization of hijacked traffic. When a user on a compromised network attempts to visit a targeted domain, the rogue DNS provides the IP address of a proxy server controlled by the attackers. This proxy then serves a snippet of JavaScript to the user’s browser, which performs a series of checks. This script fingerprints the device and verifies that the traffic is indeed coming from a victim of the router compromise, often by attempting to resolve a bogus domain that only the shadow DNS network knows how to answer. If this check fails, the user is seamlessly redirected to Google, preventing security researchers or accidental visitors from analyzing the payload. If the check succeeds, a chain of redirects is initiated, funneling the user through various adtech “smartlinks” that resell the traffic to the highest bidder for affiliate marketing scams, malicious ad delivery, or phishing campaigns.
This modern attack shares characteristics with historical DNS-based threats but has evolved to be far more evasive and resilient. It echoes the notorious DNSChanger malware from 2011, which similarly hijacked DNS settings for ad fraud and to block victims from receiving antivirus updates. However, the current operation’s potential impact is significantly broader. Beyond simple ad fraud, the attackers could block access to software update servers, preventing devices from receiving critical security patches. They could also spoof legitimate services, such as banking portals or corporate login pages, to harvest credentials. This type of attack also has a secondary, disruptive effect on the cybersecurity community by polluting passive DNS databases. These vast repositories of DNS query data are used by researchers to track malicious infrastructure. By injecting false resolutions, the attackers can misdirect investigations, attribute their activity to benign services, and generally create noise that complicates threat analysis and attribution efforts for other malware campaigns.
3. Fortifying Your Digital Defenses
Protecting against this insidious threat required a multi-layered approach focused on securing the network’s gateway: the router. The most critical first step involved a thorough review of the router’s DNS settings. Users were advised to ensure these were configured to their ISP’s default servers or, for enhanced security, to a trusted public DNS resolver that supports encryption, such as DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). These encrypted protocols prevent local network attackers from snooping on or modifying DNS queries. Equally important was the practice of maintaining up-to-date router firmware. Manufacturers frequently release patches for vulnerabilities that attackers exploit to gain initial access, and applying these updates promptly closes the door on many common attack vectors. Furthermore, vigilance in monitoring network traffic for unusual signs, such as abnormally short DNS TTLs or connections to known malicious IP ranges like those associated with Aeza International, proved to be an effective detection strategy for identifying an active compromise.
