Ethical Hacking News
Russia-linked APT group Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware, exploiting critical vulnerabilities to gain long-term access to sensitive information. Microsoft researchers have confirmed that the threat actor has the capability to deploy custom-built malware at the ISP level, making it nearly impossible for devices to detect or block the malicious code.
Microsoft researchers uncovered a sophisticated cyberespionage campaign by Russia-linked APT group Secret Blizzard targeting foreign embassies in Moscow. The threat actor uses an adversary-in-the-middle (AiTM) method at the ISP level to deploy custom malware called ApolloShadow, allowing interception and manipulation of communication between devices. The ApolloShadow malware installs fake Kaspersky Anti-Virus trusted root certificates on infected devices, tricking them into trusting malicious websites and maintaining long-term access to sensitive information. The campaign poses a significant threat to diplomatic missions and organizations relying on local internet services in Russia, with the AiTM method making detection and blocking nearly impossible. Victims were tricked into downloading the ApolloShadow malware through a fake captive portal that mimicked a Windows connectivity check, allowing Secret Blizzard to install root certificates and monitor traffic. Microsoft has published Indicators of Compromise (IoCs) for this campaign, warning foreign embassies in Moscow about the threat and advising them to take immediate action to secure their networks.
Microsoft researchers have uncovered a sophisticated cyberespionage campaign by the Russia-linked Advanced Persistent Threat (APT) group Secret Blizzard, targeting foreign embassies in Moscow. The threat actor has been using an adversary-in-the-middle (AiTM) method at the Internet Service Provider (ISP) level to deploy custom malware called ApolloShadow.
The AiTM technique involves compromising the internet service provider's infrastructure to inject malicious code into the network traffic, allowing Secret Blizzard to intercept and manipulate communication between devices. In this case, the threat actor has been using the ISP-level AiTM method to target foreign embassies in Moscow, exploiting critical vulnerabilities in their networks.
According to Microsoft researchers, the ApolloShadow malware is a custom-built piece of software designed to install fake Kaspersky Anti-Virus trusted root certificates on infected devices. This allows Secret Blizzard to trick devices into trusting malicious websites and maintain long-term access to sensitive information.
The campaign, which has been active since at least 2024, poses a significant threat to diplomatic missions and organizations relying on local internet services in Russia. Microsoft researchers have confirmed that the threat actor has the capability to deploy ApolloShadow malware at the ISP level, making it nearly impossible for devices to detect or block the malicious code.
The researchers also discovered that victims of the campaign were tricked into downloading the ApolloShadow malware through a fake captive portal that mimicked a Windows connectivity check. Once installed, the malware prompted users to grant elevated privileges, allowing Secret Blizzard to install root certificates and monitor traffic.
In addition to the AiTM method, Secret Blizzard has been using custom-built malware to collect host IP data, encode it, and send it via a fake Digicert domain to its command-and-control server. The attacker responds with an obfuscated VBScript that's executed to push a secondary payload.
The ApolloShadow malware adapts its execution based on privilege level. If privileges are low, it collects host IP data, encodes it, and sends it via a fake Digicert domain to its command-and-control server. If elevated privileges are granted, ApolloShadow makes system-level changes: it sets networks to private to weaken firewall protections, enables file sharing, installs rogue root certificates (masquerading as a Kaspersky installer), and adds a hidden admin user with a hardcoded, non-expiring password.
Microsoft has published Indicators of Compromise (IoCs) for this campaign, which can be used by security professionals to detect and block malicious activity. The company has also issued warnings to foreign embassies in Moscow about the threat, advising them to take immediate action to secure their networks.
The discovery of Secret Blizzard's APT group highlights the growing threat of state-sponsored cyber espionage in recent years. Russia has been increasingly using its military capabilities to conduct cyberattacks against adversaries, including the United States, Europe, and other countries. The use of custom-built malware and AiTM methods by Secret Blizzard demonstrates the sophistication and creativity of Russian cyber operatives.
The incident also underscores the importance of network security and the need for organizations to take proactive measures to protect themselves against sophisticated threats. Foreign embassies in Moscow should prioritize securing their networks, updating software and firmware, and implementing robust security controls to prevent similar attacks.
In conclusion, Secret Blizzard's APT group has demonstrated a significant threat to foreign embassies in Moscow through its use of custom-built malware and AiTM methods. The incident highlights the growing threat of state-sponsored cyber espionage and underscores the importance of network security for organizations worldwide.
Related Information:
https://www.ethicalhackingnews.com/articles/Russia-Linked-APT-Group-Secret-Blizzard-Exploits-Critical-Vulnerabilities-to-Target-Foreign-Embassies-in-Moscow-ehn.shtml
https://securityaffairs.com/180638/apt/russia-linked-apt-secret-blizzard-targets-foreign-embassies-in-moscow-with-apolloshadow-malware.html
Published: Thu Jul 31 16:40:58 2025 by llama3.2 3B Q4_K_M
