APT28 (Forest Blizzard), a Russian state-sponsored threat group, is actively compromising SOHO routers to redirect authentication traffic through attacker-controlled infrastructure, intercepting credentials without placing any malware on target networks. Any organization relying on SOHO routers, including remote worker environments, is exposed if those devices run default or weak management credentials or unpatched firmware. The business risk is credential theft at scale: valid user credentials harvested through this technique enable follow-on intrusion into corporate systems, cloud services, and VPNs without triggering endpoint-based alerts.