D-Link and Linksys routers hacked to point users to coronavirus-themed malware

Hackers hijack routers' DNS settings to point users to malware-infected downloads.
Written by Catalin Cimpanu, Contributor
Router DNS hijack pointing to COVID-themed malware site
Image via Bitdefender

For almost a week, a group of hackers has been breaking into people's routers and changing DNS settings in order to point unsuspecting device users to coronavirus-related sites pushing malware.

The attacks have currently targeted D-Link and Linksys routers, according to reports from cyber-security firm Bitdefender and tech support forum and news site Bleeping Computer.

According to Bitdefender, hackers are using brute-force attacks to guess the admin password of targeted routers. Once they guess a password and get in, hackers change the router's default DNS server settings, pointing the device to their own servers.

This means that every DNS query made by users connected to a hijacked router goes through the hackers' DNS servers, giving the attackers full control over what sites a user accesses.

Per reports, when users attempt to access a list of particular domains, hackers have been redirecting users to a custom site urging users to install a coronavirus (COVID-19) information app.

Both Bitdefender and Bleeping Computer said this app installs a version of the Oski trojan. Oski is a recent infostealer trojan sold on Russian-speaking dark web forums. The trojan's primary function is to steal account credentials from browsers and cryptowallet files to hijack cryptocurrency accounts.

Per Bitdefender, users have reported being redirected to the malicious coronavirus-themed site when they tried to access one of the following domains:


The malicious DNS servers used by hackers are and If ZDNet readers use a D-Link or Linksys router they should connect to the device's admin panel and check if these two IP addresses appear in the DNS settings section.

If they do, users should remove the DNS server IP addresses and change the router's admin panel password.

This campaign first began on March 18 and is currently ongoing. D-Link and Linksys owners should be on the lookout for any unprompted requests to download and install coronavirus-related apps -- a common malware lure these days, for both common cybercriminals and state-sponsored groups alike.

The Mac malware most likely to attack your PC this year

Editorial standards