Shadow Aeza International Directed Traffic to Malicious Adtech
A financially motivated threat actor hacked dozens of domain name system resolvers, connecting them to the infrastructure of a Russian bulletproof hosting service sanctioned by the U.S. Department of Treasury for its criminal links, researchers found.
See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions
Network security firm Infoblox said in a Tuesday blog post it observed compromised routers whose settings had been changed to forward DNS queries to shadow resolvers hosted by Aeza International. Treasury cut off Aeza and its top executives from the dollar resolving system in July after tying it to several cybercriminal groups (see: US Sanctions Aeza Group for Hosting Infostealers, Ransomware).
Shadow Aeza systems typically resolved extremely popular domains such as Google or Facebook with a correct IP Address. Select DNS queries at unpredictable intervals received malicious content such as malware or scams. Infoblox attributed the operation – it appears to have operated since mid-2022 – to an unnamed “financially motivated actor in the affiliate marketing space.”
“We cannot emphasize this enough: the DNS resolver is in a position of power,” wrote Infoblox.
Hackers targeted older routers, although one Reddit user in 2025 complained that the hackers compromised a virtual router whose interface was accidently exposed to the internet. Hackers locked out the user from the root account and loaded a crypto miner.
The threat actor paired DNS hijacking with traffic distribution system used to fingerprint users and funnel them to two different adtech platforms.
One reason this activity may have gone undetected for so long is that the shadow resolvers respond only to DNS queries with a specific format. Specifically, Infoblox found, the hackers disabled Extension Mechanisms for DNS, a widespread method for increasing the size of DNS queries beyond the original protocol specification. “Because most DNS resolvers enable EDNS0, queries to the Aeza hosts will usually result in a malformed response,” the company found.
The activity is “a reminder that the integrity of DNS resolution is critical to securing enterprises and homes alike. Without it, organizations have no control of where their devices are connecting,” said Renée Burton, vice president of threat intel at Infoblox, in an email.
Routers – especially small office or home office routers – are a perennial hacking target given that the vast majority of their owners tend not to install updates. In a 2025 poll of more than 3,000 patrons of a British broadband comparison site, 84% of users said that they never updated their router firmware.
Manufacturers have become better at setting up routers to automatically receive firmware updates – but end-of-life routers aren’t supported, despite apparently continuing to work normally. The FBI in May 2025 admonished SOHO router owners to upgrade any unsupported device, or to at least disable remote management.