APT28 (Forest Blizzard) is actively compromising SOHO routers via weak or default management credentials and unpatched firmware to perform DNS hijacking and adversary-in-the-middle credential interception — no endpoint malware is deployed, making this invisible to traditional EDR and AV tooling. Specific affected router vendors and firmware versions are not identified in available source material; the exposure applies broadly to any SOHO router with internet-accessible management interfaces or default credentials, including remote worker environments. Immediate actions include auditing DNS resolver settings on all SOHO routers against known-good baselines, changing default management credentials, disabling remote management where not required, applying available firmware updates, and enforcing MFA on all externally accessible services to limit the impact of any harvested credentials.