Listen to this Post
Introduction: DNS, the Invisible Backbone Under Attack
Every time a user types a website address into a browser, an invisible process begins. The Domain Name System, or DNS, translates human-readable domains into numerical IP addresses so devices know where to connect. It is one of the internet’s most trusted systems, designed to work quietly and reliably in the background. But that trust is increasingly being exploited. A long-running and highly evasive campaign has shown how attackers can quietly seize control of DNS at the router level, redirecting traffic through rogue infrastructure without most victims ever realizing it. This operation, active since at least mid-2022, turns compromised routers into gateways for ad fraud, malware delivery, and potentially far more dangerous attacks.
How Shadow DNS Quietly Rewrites Internet Traffic
The newly uncovered campaign revolves around what researchers describe as “shadow DNS” infrastructure. Instead of infecting individual devices with obvious malware, attackers compromise routers themselves, especially older or poorly maintained models. Once inside, they alter the router’s DNS configuration so that every device connected to it unknowingly sends its DNS queries to attacker-controlled resolvers rather than the internet service provider’s legitimate servers.
This tactic creates an adversary-in-the-middle position. The attackers do not need to break encryption or compromise each device directly. By controlling DNS resolution, they decide where traffic goes before any secure connection is established. The operation relies on infrastructure hosted by Aeza International, a bulletproof hosting provider identified as AS210644 and later sanctioned by U.S. authorities.
Selective Manipulation to Avoid Detection
What makes this campaign especially dangerous is how carefully it avoids drawing attention. The rogue DNS resolvers do not hijack all traffic. Instead, they selectively manipulate responses for specific domains, such as authentication platforms or e-commerce services, while returning correct IP addresses for high-profile sites like Google, Facebook, or YouTube.
This selective behavior allows the attackers to stay hidden for years. Most users never notice anything obviously broken. Even network administrators may see normal-looking DNS traffic, making the compromise difficult to distinguish from routine network noise.
Short TTLs and Artificial DNS Noise
Another hallmark of the operation is the unusually short DNS time-to-live values. Responses often carry a TTL of just 20 seconds, forcing devices to repeatedly re-query DNS servers. This creates a constantly shifting resolution pattern that varies by location, timing, and randomization.
The attackers also respond to non-existent domains with fake DNS replies. This mimics the kind of harmless DNS “leakage” commonly seen in local networks, further blending malicious behavior into what looks like everyday background traffic.
EDNS0 Rejection as an Evasion Technique
One of the cleverest evasion tactics involves EDNS0, a modern DNS extension widely used by scanners, security tools, and enterprise resolvers. The shadow DNS servers simply reject queries that include EDNS0, returning “malformed message” errors instead of usable responses.
Because most automated tools rely on EDNS0 by default, this behavior effectively blinds large-scale scanners. Manual testing requires explicitly disabling EDNS0, such as using a command like dig +noedns, to reveal the malicious behavior. Even then, excessive querying can trigger defensive responses, with the resolvers returning a catch-all IP address like 255.255.255.255.
Confirmed Rogue Resolvers and Growing Reports
Researchers have identified multiple confirmed rogue DNS resolvers linked to this operation, including IP addresses such as 104.238.29.136, 138.124.101.153, 193.233.232.229, 45.80.228.233, and 89.208.103.145. By early 2025, user reports began surfacing publicly, describing strange network behavior that defied simple explanations.
One particularly striking Reddit post described persistent connectivity issues, unexplained redirects, and devices behaving erratically. Community replies pointed to DNS redirection toward suspicious domains, crypto-mining activity, and even administrative lockouts on virtualized OpenWRT routers exposed through VPS environments.
When Secure DNS Still Fails
Some victims reported issues even when using DNS-over-HTTPS, a technology designed to bypass local DNS manipulation by encrypting queries and sending them directly to trusted providers. The fact that redirects persisted in some cases suggests deeper compromises, such as malware on individual devices, disabled secure DNS features, or advanced interference at the network stack level.
These observations raise concerns that the campaign may not be limited to simple router misconfiguration but could involve broader exploitation chains depending on the environment.
Shadow DNS as a Traffic Distribution Engine
DNS manipulation is only the first stage. Once traffic is redirected, the operation feeds users into an HTTP Traffic Distribution System, or TDS. This system allows attackers to fingerprint devices, verify that traffic truly originates from a compromised router, and decide what content to deliver.
Specific IP addresses act as proxy nodes, serving JavaScript that performs validation checks. One technique involves querying deliberately bogus domains. If the query fails, the script redirects the user to a harmless destination like Google, ensuring that only genuine router-compromised traffic continues down the malicious path.
Monetization Through Adtech and Smartlinks
When validation succeeds, users are sent through chains of so-called “smartlinks,” commonly used in aggressive adtech ecosystems. These links resell traffic to advertisers, scam operators, or malware distributors. What appears to the user as a random ad redirect is, in reality, the end result of a carefully engineered DNS and HTTP manipulation pipeline.
Older scripts linked to the campaign reference strange, outdated functions and even unregistered domains, suggesting that parts of the infrastructure have been recycled and adapted over time. In some cases, snippets of these scripts have appeared in public forums, raising the possibility of accidental leakage or deliberate propagation attempts.
Echoes of Past DNS-Based Attacks
This campaign strongly echoes the infamous DNSChanger operation uncovered in 2011, where malware hijacked DNS settings to inject ads and block access to security updates. The difference today lies in sophistication. Instead of obvious malware alerts and broken websites, modern shadow DNS blends seamlessly into normal traffic patterns.
There are also parallels to nation-state activity, including past cases where DNS manipulation was used to redirect software updates or intercept sensitive communications. While this campaign appears financially motivated, the underlying techniques could easily be repurposed for espionage or sabotage.
Risks Beyond Advertising Fraud
While ad fraud is the most visible outcome, the potential impact goes much further. Controlling DNS allows attackers to block security updates, spoof legitimate services, intercept credentials, or facilitate lateral movement within networks, especially where traffic remains unencrypted.
Security researchers have warned that this activity also pollutes passive DNS databases. By mixing fake responses with legitimate ones, the attackers introduce noise that misleads analysts and complicates threat intelligence efforts. This contamination effect can persist long after individual infections are cleaned up.
Aeza, Sanctions, and the Bulletproof Hosting Problem
The use of infrastructure hosted by Aeza International adds another layer of concern. Aeza has been associated with bulletproof hosting services designed to resist takedown efforts. Its sanctioning by U.S. authorities in mid-2025 highlights the growing recognition of how critical such providers are to sustaining large-scale cybercrime operations.
Despite sanctions, the campaign continues to adapt. As fewer clients support non-EDNS0 queries over time, the attackers are actively scanning for vulnerable routers and adjusting their tactics to maintain reach.
Practical Mitigation Steps for Users and Organizations
Defending against shadow DNS attacks begins at the router level. Checking DNS settings and resetting them to ISP defaults can immediately neutralize many infections. Using DNS-over-HTTPS or DNS-over-TLS with reputable providers adds another layer of protection, though it is not foolproof.
Regular firmware updates close many of the vulnerabilities exploited in these attacks. Monitoring for unusually short TTL values, unexpected DNS servers, or known Aeza-associated IP addresses can provide early warning signs. Enterprises should also be cautious when virtualizing routers or exposing management interfaces to the internet.
What Undercode Say:
A Quiet Supply-Chain Attack on Trust
This campaign represents a subtle but powerful abuse of trust at the infrastructure level. DNS is effectively a supply chain for the internet, and compromising it allows attackers to influence everything built on top of it. Unlike endpoint malware, DNS manipulation undermines the assumptions that both users and security tools rely on to determine what is legitimate.
Financial Crime Today, Strategic Weapon Tomorrow
While the current motivation appears to be profit through advertising fraud and malware delivery, the same architecture could be weaponized for far more serious purposes. Credential harvesting, targeted phishing, or silent surveillance become far easier when DNS resolution itself is under attacker control.
Detection Is Harder Than Prevention
The campaign highlights a growing imbalance in cybersecurity. Attackers invest heavily in evasion, while defenders often rely on assumptions of normal behavior. Preventing router compromise through updates and secure configurations is far easier than detecting a shadow DNS network once it is in place.
The Illusion of “Normal” Traffic
One of the most dangerous aspects of this operation is how normal everything looks on the surface. Popular sites load correctly, speed tests work, and nothing appears obviously broken. This illusion of normalcy allows the attack to persist for years, quietly monetizing traffic and eroding trust.
DNS Security Can No Longer Be Optional
DNS security has long been treated as an afterthought. This campaign demonstrates that it deserves the same attention as endpoint protection and identity management. Without stronger defaults and better visibility, shadow DNS attacks will remain an attractive option for cybercriminals.
Fact Checker Results
✅ DNS manipulation at the router level is a well-documented attack vector.
✅ Bulletproof hosting providers have historically enabled long-running cybercrime campaigns.
❌ No public evidence confirms nation-state involvement in this specific operation.
Prediction
🔮 Shadow DNS campaigns will increasingly target enterprise edge devices, not just home routers.
🔮 DNS security controls will become standard features in consumer routers within the next few years.
🔮 Financially motivated DNS abuse will blur further into tactics traditionally associated with espionage.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
