Russia’s APT28 Goes “Malwareless” While LinkedIn Quietly Scans Your Browser Extensions

You know that feeling when you think you’ve seen every possible attack vector, and then hackers find a new way to surprise you? Well, this week delivered a few of those moments. Let me walk you through some developments that caught my attention – from Russia’s surprisingly elegant router compromise technique to LinkedIn’s questionable data collection practices.

When Less is More: APT28’s Router-Only Espionage

The most technically interesting story this week comes from Russia’s Forest Blizzard group (also known as APT28). Instead of deploying complex malware payloads, they’re compromising SOHO routers and simply changing DNS settings to redirect traffic and harvest credentials.

Think about the elegance here for a moment. No malware to detect, no persistence mechanisms to maintain, no command and control infrastructure to hide. They’re essentially turning compromised routers into invisible man-in-the-middle proxies. When users try to access legitimate services, the modified DNS settings route them through attacker-controlled servers that can log credentials before passing the traffic along to the real destination.

This approach is brilliant from an operational security perspective. Traditional endpoint detection tools won’t catch this because there’s nothing malicious running on the target systems. The compromise happens at the network level, making it much harder to detect unless you’re specifically monitoring DNS queries or have robust network traffic analysis in place.

For those of us defending networks, this reinforces why we need to treat SOHO routers as critical infrastructure rather than “set it and forget it” devices. Regular firmware updates, changing default credentials, and network segmentation become even more important when these devices can be weaponized so effectively.

LinkedIn’s Browser Extension Surveillance

Meanwhile, on the privacy front, we’ve got LinkedIn scanning browser extensions on every single click. We’re talking about over 6,000 different extensions being detected and catalogued, with no mention of this activity in their privacy policy.

This isn’t just about technical capability – it’s about the inferences you can make from extension data. Job hunting extensions reveal career intentions, religious or political extensions expose personal beliefs, and productivity or health-related extensions can indicate everything from ADHD to financial planning habits. LinkedIn is essentially building psychological profiles based on our browser configurations.

What bothers me most about this is the stealth nature. At least when Facebook tracks you across the web, there’s some awareness of their business model. But scanning installed browser extensions feels like digital wiretapping – it’s information users never consciously shared, gathered through a technique most people don’t even know is possible.

From a security perspective, this also highlights how much our browser extensions reveal about us. We should probably audit our own installed extensions more regularly, both for security vulnerabilities and privacy implications.

The Persistence of Nation-State Cyber Operations

The geopolitical angle continues to be concerning. Even with ceasefires in traditional conflicts, Iran-linked hackers are making it clear that cyber operations will continue. They’re explicitly stating they’ll “revive efforts against America when the time is right.”

This confirms what we’ve suspected for years – cyber warfare operates on different timelines and rules than conventional conflict. Digital operations can continue indefinitely without the resource constraints that limit physical military actions. There’s no demilitarized zone in cyberspace, and apparently no such thing as a cyber ceasefire either.

Credit Card Skimmers Hide in Plain Sight

On the e-commerce front, attackers are getting creative with concealment techniques. A campaign targeting nearly 100 Magento stores is hiding credit card skimmers in pixel-sized SVG images. The SVG format allows embedded JavaScript, so they’re essentially hiding functional code inside what appears to be a tiny, invisible image.

This is another example of attackers using legitimate web technologies in unexpected ways. SVG files are supposed to be graphics, not execution vehicles, but the format’s flexibility makes it perfect for hiding malicious code. Security tools that focus on traditional JavaScript files might miss embedded code in image formats.

For anyone managing e-commerce platforms, this reinforces the importance of monitoring all file uploads and changes to your web content, not just obvious script files. Content Security Policy headers become even more critical when attackers can hide executable code in image files.

What This Means for Our Daily Work

These stories share a common theme: attackers are increasingly using legitimate technologies and protocols in ways their designers never intended. DNS becomes a credential harvesting tool, browser APIs become surveillance mechanisms, and image formats become malware delivery vehicles.

Our detection strategies need to account for this creativity. We can’t just look for “bad” files or “malicious” network traffic when attackers are using good files and legitimate protocols for bad purposes. Behavioral analysis, anomaly detection, and understanding normal baselines become more important than signature-based detection.

Sources

• Russia’s Forest Blizzard Nabs Rafts of Logins Via SOHO Routers
• Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing
• Shaky Ceasefire Unlikely to Stop Cyberattacks From Iran-Linked Hackers for Long
• Hackers use pixel-large SVG trick to hide credit card stealer