DigiCert’s Open-Source Intelligence (OSINT) Report – April 3 – April 9, 2026

Justice Department Conducts Court-Authorized Disruption of DNS Hijacking Network Controlled by a Russian Military Intelligence Unit 

(TLP: CLEAR) The Department of Justice and FBI recently announced a court-authorized technical operation, dubbed Operation Masquerade, to dismantle the U.S. portion of a compromised SOHO router network operated by GRU Military Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard, and Sofacy Group, among other designations. Beginning at least in 2024, GRU actors systematically exploited known vulnerabilities in TP-Link routers to harvest credentials and gain unauthorized administrative access to thousands of devices across the United States and allied nations. Once access was established, attackers modified DNS resolver settings on the compromised devices, redirecting user queries to GRU-controlled DNS infrastructure rather than legitimate ISP-assigned resolvers. This configuration change, requiring no malware implant on the router itself, enabled passive, sustained interception of unencrypted traffic traversing the affected network — including credentials, authentication tokens, and email content. Microsoft’s analysis identified more than 200 organizations and 5,000 consumer devices affected by the operation, with Lumen Technologies’ Black Lotus Labs confirming that primary targeting focused on government ministries, law enforcement agencies, and third-party email providers across the United States, Europe, Afghanistan, North Africa, Central America, and Southeast Asia. The court-authorized remediation pushed a series of FBI-developed commands to compromised U.S. routers, resetting DNS configuration to legitimate ISP-assigned resolvers and revoking the GRU’s initial access vector. The operation did not impact normal router functionality and can be reversed through a factory reset.

(TLP: CLEAR) Comments: Operation Masquerade is a significant law enforcement response to a sustained intelligence collection campaign that exploited one of the most persistent blind spots in enterprise and residential network security — the router. By limiting their footprint to a DNS configuration change rather than deploying full-capability malware, GRU operators deliberately avoided the detection mechanisms most organizations rely on: endpoint protection agents, EDR telemetry, and anomalous process monitoring have no visibility into router firmware settings. The approach is operationally elegant precisely because it is invisible to conventional security stacks. The scope of this campaign — spanning 23+ U.S. states and extending into allied nations across Europe — reinforces that GRU collection infrastructure operates at a geographic scale that outpaces most organizational threat models. The court-authorized remediation neutralizes this specific access method, but it does not eliminate the underlying exposure. SOHO routers remain chronically under-patched and frequently administered without any security oversight. Organizations and individuals running consumer-grade networking equipment in environments that handle sensitive data should treat this operation as a direct signal: edge devices are not passive conduits — they are an active and frequently unmonitored component of the threat surface.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-20: “SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)”:

Control:

• Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
• Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part

of a distributed, hierarchical namespace.

(TLP: CLEAR) DigiCert: DigiCert’s Protective DNS solution, UltraDDR (DNS Detection and Response),, receives DNS queries from enterprise users and other on-LAN devices, inspects DNS responses for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://www.justice.gov/usao-edpa/pr/justice-department-conducts-court-authorized-disruption-dns-hijacking-network/

Google: New UNC6783 Hackers Steal Corporate Zendesk Support Tickets

(TLP: CLEAR) Google’s Threat Intelligence Group (GTIG) published reporting on a financially motivated threat cluster designated UNC6783, which has targeted dozens of high-value corporate entities across multiple sectors by compromising business process outsourcing (BPO) providers that manage support and helpdesk operations on behalf of those organizations. GTIG principal threat analyst Austin Larsen assessed that UNC6783 may be linked to an online persona known as “Raccoon,” who claimed responsibility in early April 2026 for stealing millions of Zendesk support tickets, employee records, and HackerOne bug bounty submissions from an India-based BPO serving Adobe. The campaign’s attack chain relies on social engineering rather than software exploitation. Attackers initiate contact through live chat support channels, directing employees to spoofed Okta login pages hosted on look-alike domains following the pattern of `<org>[.]zendesk-support<##>[.]com`. A custom phishing kit deployed across these domains harvests clipboard contents, enabling the actor to bypass push- and TOTP-based multi-factor authentication in real time. Once access is established with stolen credentials and a registered attacker-controlled device, UNC6783 searches for high-value corporate data within the victim’s support environment — including internal documents, customer communications, and authentication artifacts. In some observed cases, attackers deployed fake security update packages during support interactions to install remote access malware. Following data exfiltration, victims are contacted via ProtonMail with extortion demands. Google’s Mandiant team recommended deploying FIDO2 hardware security keys, monitoring live chat for redirection attempts, blocking look-alike Zendesk domains, and conducting regular MFA device enrollment audits as primary mitigations.

(TLP: CLEAR) Comments: The UNC6783 campaign exposes a structural weakness in the extended-trust model that most enterprises implicitly accept when they outsource business functions to third-party service providers. The attack surface is not a flaw in Zendesk or Okta — it is the human and procedural layer surrounding those platforms. By targeting BPO support staff rather than the enterprise network directly, this actor effectively sidesteps perimeter defenses that are architecturally optimized to protect the internal environment. The tactics share meaningful overlap with those of Scattered Spider and Lapsus$, suggesting that financially motivated actors operating outside nation-state attribution frameworks are converging on the same insight: insider access obtained through social engineering is faster, cheaper, and harder to detect than technical exploitation. The clipboard-stealing MFA bypass is a particularly critical data point for defenders. Organizations that have implemented push notification or TOTP-based MFA may have a false sense of resilience against this technique. Only phishing-resistant FIDO2 authentication can reliably defeat real-time adversary-in-the-middle credential interception of this type. Enterprises with outsourced support operations should urgently audit what privileged access third-party BPO staff hold, apply the principle of least privilege to all support tooling, and monitor for domain registrations matching their Zendesk infrastructure patterns.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.bleepingcomputer.com/news/security/google-new-unc6783-hackers-steal-corporate-zendesk-support-tickets/

Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack

(TLP: CLEAR) Technical reporting accompanying the DOJ’s Operation Masquerade announcement provides additional detail on the attack methodology employed by GRU Military Unit 26165 (APT28) in its multi-year DNS hijacking campaign targeting SOHO networking equipment. GRU actors exploited authentication and configuration vulnerabilities in TP-Link routers — and potentially devices from other manufacturers — to gain unauthorized administrative access without needing to deploy persistent malware on the device itself. After gaining access, the actor modified the router’s upstream DNS resolver settings, substituting legitimate ISP-assigned resolvers with GRU-controlled DNS infrastructure. This single configuration change was sufficient to establish a durable, passive intelligence collection capability: all DNS queries from devices on that network were answered by GRU-controlled servers, enabling traffic filtering, selective interception, and targeted harvesting of credentials, session tokens, and email content traversing the network in unencrypted form. Black Lotus Labs at Lumen confirmed that targeting was not indiscriminate — GRU actors used their DNS vantage point to identify specific individuals and organizations of intelligence interest, concentrating collection against government agencies, defense-related entities, and critical infrastructure operators across more than 23 U.S. states and allied nations in Europe and elsewhere. The absence of conventional malware made this activity essentially invisible to host-based endpoint detection tools and most network monitoring solutions that are not specifically configured to audit DNS resolver integrity.

(TLP: CLEAR) Comments: The technical construction of this campaign illustrates a core principle of advanced persistent threat operations: the most durable collection capability is one that blends into the normal function of the network. DNS resolver modification is a single-line configuration change on most consumer routers — it requires no exploit payload to maintain, leaves no running process for endpoint tools to detect, and persists across reboots without further attacker interaction. This makes it an exceptionally efficient collection mechanism that can run undetected for extended periods. From a defensive standpoint, the critical gap is the near-universal absence of DNS integrity monitoring at the network edge. Most organizations implement DNS security controls — blocklists, protective DNS resolvers, DNSSEC validation — for traffic flowing through enterprise infrastructure, but have no visibility into whether devices on their network (particularly those not managed by central IT) are resolving through a trusted resolver at all. Extending DNS integrity verification to SOHO and remote-work environments, combined with deploying a Protective DNS service that enforces enterprise policy regardless of where the DNS query originates, would significantly narrow this exposure.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2:

“Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide

variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://cybersecuritynews.com/russian-hackers-exploiting-routers/

Evasive Masjesu DDoS Botnet Targets IoT Devices

(TLP: CLEAR) Researchers at Trellix published detailed analysis of Masjesu, a commercially operated IoT botnet also tracked as XorBot, which has been active since at least 2023 and continues to evolve through 2026. Masjesu is marketed as a DDoS-for-hire service primarily through Telegram channels operating in both English and Chinese, with an original channel exceeding 2,000 subscribers before platform removal and a subsequent bilingual channel with approximately 420 active subscribers. Operators have publicly advertised sustained attack capacities near 290–300 Gbps. The botnet propagates by exploiting known vulnerabilities across a broad range of devices, including D-Link, GPON, Huawei, Netgear, MVPower DVR, and Realtek-based products, with compiled samples supporting architectures including ARM, MIPS, SPARC, PPC, 68K, and AMD64. Once installed, the malware conceals C2 addresses, configuration data, and payload details using multi-stage XOR encryption, decrypting only at runtime to defeat static analysis. Persistence is achieved by renaming the malware executable to impersonate a legitimate Linux dynamic linker, forking a background daemon process, and installing a cron job that executes every 15 minutes. The botnet binds to hardcoded TCP port 55988 for C2 communication and supports a broad attack portfolio, including UDP, TCP SYN/ACK/ACKPSH, ICMP, GRE, OSPF, HTTP, and Valve Source Engine query floods, with randomized headers and spoofed source IPs to complicate traffic filtering. Notably, Masjesu deliberately avoids targeting IP ranges associated with the U.S. Department of Defense and other entities likely to trigger law enforcement attention — a calculated operational restraint that has contributed to its multi-year survival. Infected device concentrations have been observed primarily in Vietnam, with significant representation from Brazil, India, Iran, Kenya, and Ukraine.

(TLP: CLEAR) Comments: Masjesu represents the maturation of the commercial DDoS-for-hire market into a technically sophisticated and operationally disciplined business model. Its survival since 2023 — an unusually long window in a threat landscape where botnet infrastructure is frequently disrupted within months — reflects deliberate choices by its operators to prioritize longevity over scale. The avoidance of high-profile DoD-associated infrastructure, combined with geographically dispersed infection sourcing and randomized attack signatures, makes Masjesu both harder to attribute and harder to filter than commodity botnets that rely on static source pools and known traffic patterns. The bilingual Telegram marketing is also operationally significant: a customer base spanning both Chinese and English-speaking markets means that attack traffic sourced from this botnet cannot be easily correlated with a specific geopolitical actor or campaign, complicating incident response and attribution workflows. For organizations defending internet-facing services, the primary operational challenge is that Masjesu traffic is deliberately engineered to blend with legitimate flows. Static signature-based filtering is insufficient; behavioral baselining, volumetric thresholding, and automated traffic scrubbing capable of responding to multi-vector attack combinations are required to detect and mitigate this botnet’s attack profile before it saturates available capacity.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-5: “DENIAL-OF-SERVICE PROTECTION

• [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]

• Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].

SC-5 requires that organizations perform risk management concerning the availability of IT systems and to implement controls that are apropos for the level of risk.

(TLP: CLEAR) DigiCert: DigiCert’s UltraDDoS Protect, provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://www.securityweek.com/evasive-masjesu-ddos-botnet-targets-iot-devices/

US Warns of Iranian Hackers Targeting Critical Infrastructure

(TLP: CLEAR) A joint advisory issued April 7, 2026 by the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command’s Cyber National Mission Force warns that Iranian-affiliated APT actors have been actively exploiting internet-exposed Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) across multiple U.S. critical infrastructure sectors since at least March 2026. Targeted sectors include Water and Wastewater Systems, Energy, and Government Services and Facilities, including local municipalities. The authoring agencies confirmed that attacks have resulted in operational disruption and financial loss for some victim organizations. Adversary activity involved malicious interaction with device project files — specifically .ACD files storing ladder logic and configuration settings — and manipulation of data displayed on human-machine interface (HMI) and SCADA displays, in some cases producing false situational awareness for operators. The FBI assessed the activity is a deliberate escalation, likely in response to U.S. and Israeli military strikes against Iran beginning February 28, 2026. The agencies did not publicly name the specific threat group but noted TTPs consistent with CyberAv3ngers, an IRGC Cyber Electronic Command-affiliated actor previously linked to PLC compromises against U.S. water facilities in late 2023. The advisory lists specific IOCs including attacker-associated IP addresses, and identifies Dropbear SSH on port 22 and Rockwell’s Studio 5000 Logix Designer software among the observed access vectors. Organizations are directed to immediately remove affected PLCs from direct internet exposure and review vendor-issued hardening guidance.

(TLP: CLEAR) Comments: The deliberate targeting of internet-exposed PLCs in water, energy, and municipal government environments represents a qualitative escalation in Iranian cyber operations, shifting emphasis from IT-focused intrusions toward direct manipulation of operational technology controlling physical processes. This escalation follows a well-documented Iranian APT pattern: geopolitical pressure triggers a corresponding intensification of OT-focused cyber activity, frequently timed to coincide with periods of kinetic conflict or diplomatic confrontation. The particular concern with HMI and SCADA data manipulation — as opposed to data theft — is that it can generate false operational states, potentially causing human operators to take incorrect corrective actions in response to conditions that do not actually exist. In environments controlling water treatment chemistry, power distribution, or industrial automation, operator-driven responses to manipulated sensor data carry real physical risk. The broader defensive challenge is that OT environments routinely lag IT environments in security maturity: PLCs and SCADA systems are often directly internet-accessible by design, infrequently updated due to operational continuity constraints, and managed by teams without dedicated cybersecurity expertise. Organizations operating PLC infrastructure must treat this advisory as urgent: audit internet exposure of all OT devices, verify firmware versions, enforce network segmentation between OT and IT environments, and implement continuous monitoring of OT network traffic for anomalous command and configuration activity.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the

network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-hackers-targeting-critical-infrastructure/