Shadow Aeza International Redirects Traffic to Malicious Adtech
In a concerning cybersecurity development, a financially motivated threat actor has compromised numerous domain name system (DNS) resolvers, linking them to the infrastructure of Aeza International—a Russian bulletproof hosting service sanctioned by the U.S. Department of Treasury due to its associations with criminal activities. Researchers have highlighted the implications of these actions for businesses relying on secure internet traffic.
Network security firm Infoblox disclosed in a recent blog post that malicious actors modified the settings of compromised routers to route DNS queries through shadow resolvers operated by Aeza International. The U.S. Treasury cut off the service and its key executives from the dollar resolution system in July 2025 after linking them to various cybercriminal organizations, marking a significant blow against illicit online activities.
These shadow systems would typically provide legitimate DNS resolutions for popular sites such as Google or Facebook. However, at unpredictable intervals, certain DNS queries would redirect users to malicious sites, exposing them to malware and scams. Infoblox noted that this operation appeared to have begun in mid-2022 and was executed by an unnamed actor focused on financial gain through affiliate marketing.
Infoblox emphasized the pivotal role DNS resolvers play, stating, “The DNS resolver is in a position of power.” By targeting older routers, attackers exploited a gap in security awareness, with one Reddit user reporting an incident in 2025 where hackers took control of a virtual router with an exposed interface, subsequently deploying a cryptocurrency miner.
This attack exemplifies a sophisticated approach, where DNS hijacking was coupled with a traffic distribution system designed to identify users and direct them toward distinct ad tech platforms. Notably, the shadow resolvers responded only to DNS queries of a specific nature, a tactic that may have contributed to the prolonged undetected presence of the threat. Infoblox reported that the adversaries disabled Extension Mechanisms for DNS (EDNS0), a common technique for expanding DNS query sizes, leading to malformed responses that facilitated their attack.
This incident serves as a sobering reminder of the importance of DNS integrity, crucial for securing both businesses and home networks. Renée Burton, Vice President of Threat Intelligence at Infoblox, underscored that without reliable DNS resolution, organizations risk losing control over where their devices are directed.
Small office and home office routers remain attractive targets for hackers, evident in a 2025 survey where 84% of over 3,000 respondents indicated they never updated their router firmware. Although manufacturers have improved automatic firmware updates, devices that have reached their end of life are not supported, leaving them vulnerable.
In May 2025, the FBI offered cautionary advice to owners of small office and home office routers to either upgrade unsupported devices or disable remote management, highlighting the ongoing need for heightened security measures in network management. The encroaching risks emphasize the necessity for business owners to remain vigilant and proactive in addressing potential cybersecurity vulnerabilities.