APT28 exploit routers to enable DNS hijacking operations — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Jun 10, 2026

Severity: Critical | View Full Scam Details

APT28 Exploit Routers to Enable DNS Hijacking Operations in India 2026: Beware of This Critical Phishing Scam

A new, high-risk cyber threat involving DNS hijacking via router exploits—allegedly linked to the APT28 group—is affecting Indian internet users in 2026, raising critical security concerns.

What Is the APT28 Exploit Routers to Enable DNS Hijacking Operations?

This scam involves fraudsters exploiting vulnerabilities in home and office routers to manipulate the Domain Name System (DNS) settings. By hijacking DNS, attackers redirect users to fake versions of legitimate websites without their knowledge. This can lead to phishing attacks designed to steal sensitive information such as UPI PINs, Aadhaar details, net banking credentials, and other private data.

While the original APT28 group, known internationally for cyber espionage, is mainly associated with state-level attacks, recent reports to Indian police and CERT-In suggest that scammers mimicking this modus operandi are increasingly targeting Indian internet users. The objective is to compromise routers and carry out DNS hijacking at scale, posing a critical phishing threat.

In India, awareness of this attack is rising following advisories from CERT-In and I4C (Indian Cyber Crime Coordination Centre). These agencies note that routers with outdated firmware, weak passwords, or misconfigurations are prime targets. With millions of Indians relying on home broadband and Wi-Fi, the scam's reach is extensive, especially in semi-urban and urban areas where online banking and UPI payments are common.

How This Scam Works — Step by Step

1. Initial Contact or Infection: The fraud begins when a user clicks on a phishing SMS or WhatsApp message, supposedly from a trusted source like the bank or payment app. This message often includes a malformed URL or a malicious app download link claiming to fix router or internet issues.

2. Router Exploitation: Once the victim’s device accesses the malicious link, the attacker exploits known router vulnerabilities (such as default passwords or outdated firmware) to gain control. This can happen remotely without the victim’s direct interaction on the router.

3. DNS Hijacking Activated: The attacker changes the DNS settings on the router to redirect all internet requests to fake websites controlled by them. For example, when the victim tries to visit their bank or UPI app website, they see an authentic-looking but fraudulent page.

4. Phishing Data Collection: On the fake webpage, the victim is prompted to enter sensitive data: UPI PIN, Aadhaar number, OTP, or net banking passwords. The victim believes they are interacting with the real service.

5. Data Misuse and Money Drain: With this stolen information, fraudsters carry out unauthorized UPI transactions and bank frauds. Victims might also receive fake transaction alerts, which add confusion and delay detection.

6. Covering Tracks: Attackers may reset router settings or disrupt internet to prevent victim access, keeping hijacking active for longer or preventing victims from noticing early.

Real Warning Signs to Watch For

• Unexpected slow or unstable internet despite no obvious reason.
• Redirected websites: URLs don’t match exactly (e.g., “sbibank.in” instead of “sbi.co.in”).
• Login pages prompting unusual details like Aadhaar numbers or full KYC info unexpectedly.
• Receiving unsolicited SMS/WhatsApp messages with links to “router check” or “internet fix” tools.
• Repeated OTP requests during simple transactions or login attempts.
• Login failures on official banking or payment apps without apparent reason.
• Router admin page inaccessible or login credentials changed without user action.

What Happens to Victims

Victims often suffer significant financial loss, typically via unauthorized UPI transfers or drained bank accounts. Due to the digital nature of the fraud, reversal of transactions is complicated, and the RBI’s guidelines on UPI transaction disputes need strict follow-up. Victims rarely realize their routers are compromised, delaying reporting.

Beyond money loss, victims face emotional stress from identity misuse, disrupted connectivity, and the complexity of online fraud complaints. The misuse of Aadhaar in phishing pages escalates privacy invasion risks, potentially leading to broader identity theft beyond immediate financial fraud.

SIM swap fraud often accompanies this attack, as fraudsters use stolen data to access victim’s mobile number and intercept OTPs—making UPI fraud even easier.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) and CERT-In have both flagged router exploitation and DNS hijacking as high-risk cyber threats. RBI’s cybersecurity framework emphasizes regular updates and strong passwords on routers to minimize such risk.

CERT-In’s advisories warn users against clicking on suspicious links and recommend regularly checking router DNS settings. The Indian Cyber Crime Coordination Centre (I4C) encourages victims to approach cybercrime police and use the 1930 helpline for immediate assistance.

For cybercrime complaints, Indian users can file reports on the official portal cybercrime.gov.in and also reach out to RBI’s customer grievance helpline if financial services are affected.

How to Protect Yourself

1. Change default router passwords immediately to a strong, unique one.
2. Regularly update your router firmware as recommended by the manufacturer.
3. Avoid clicking on suspicious links or downloading unverified apps from SMS or WhatsApp.
4. Check your router’s DNS settings periodically in the admin console for unknown entries.
5. Use UPI payment apps and banking portals from official app stores only.
6. Enable two-factor authentication (2FA) using authenticator apps rather than SMS OTP where possible.
7. Disconnect your router and change passwords immediately if you notice unusual internet behavior.

What to Do If You've Been Targeted

1. Immediately disconnect your router from the internet.
2. Reset the router to factory settings and update passwords.
3. Check your financial accounts for unauthorized transactions and report them to your bank and the RBI grievance cell.
4. File a cybercrime complaint at cybercrime.gov.in and call the 1930 cybercrime helpline.
5. Inform your mobile telecom operator if SIM swap or mobile compromise is suspected.
6. Change passwords for all critical accounts and monitor closely for suspicious activity.

Frequently Asked Questions

Q: Can my home Wi-Fi router really be hacked without my knowledge?
Yes, routers with default passwords or outdated firmware are common targets. Attackers exploit these vulnerabilities remotely to hijack DNS settings without the user realizing it.

Q: How can I confirm if my router is compromised by DNS hijacking?
Look for unexpected redirects when visiting familiar websites, unusual changes in router settings, or frequent internet disruptions. You can also check DNS addresses in the router’s admin panel for unauthorized entries.

Q: Will reversing a UPI transaction lost due to DNS hijacking be easy?
While RBI has frameworks to dispute fraudulent UPI transactions, reversals depend on timing and bank policies. Early reporting to banks and cyber authorities improves chances of recovery.

For any suspicious message claiming to fix internet issues or involving bank details, always verify with BharatSecure.app. If you suspect fraud, report it immediately to the 1930 cybercrime helpline for prompt action.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.