Russian state-sponsored threat actor APT28 is exploiting vulnerable SOHO routers to modify DHCP and DNS settings, redirecting user traffic to malicious infrastructure. This DNS hijacking facilitates Adversary-in-the-Middle (AitM) attacks designed to harvest credentials and OAuth tokens for web and email services.