A shadow DNS network and HTTP-based traffic distribution system (TDS) hosted in Aeza International, a sanctioned bulletproof hosting company, has been discovered. The system compromises routers, altering their DNS settings to use shadow resolvers. These resolvers selectively modify responses, directing users to malicious content. The TDS incorporates a clever DNS trick to evade detection by security groups. The system, operational since mid-2022, appears to be run by a financially motivated actor in affiliate marketing. It has the potential to interfere with devices on the network, alter DNS records, and conduct adversary-in-the-middle operations. The threat actor's ability to control DNS resolution poses significant risks beyond delivering unwanted advertising.