Ddos 
A covert cyberespionage operation by Russian state actor Secret Blizzard has been targeting foreign embassies in Moscow, deploying custom malware from an adversary-in-the-middle (AiTM) position. Microsoft Threat Intelligence recently uncovered this high-stakes campaign, revealing how attackers exploit Russia’s telecommunications infrastructure to spy on diplomatic targets.
The operation centers around a sophisticated malware tool named ApolloShadow, capable of manipulating system certificates and masquerading as trusted applications—like Kaspersky Anti-Virus—to deceive users and maintain stealthy persistence.
Once deployed, ApolloShadow installs trusted root certificates on victim machines, enabling attackers to intercept and decrypt traffic, steal credentials, and maintain a persistent foothold.
“ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites… enabling Secret Blizzard to maintain persistence on diplomatic devices,” the report explains.
The campaign begins with initial access at the Internet Service Provider (ISP) level within Russia. Devices connecting to the internet are rerouted through a captive portal, a web page designed to simulate internet access checks—much like those seen at airports or hotels.
Once a target attempts to connect to the internet, they are redirected from a Microsoft domain (e.g., www.msftconnecttest.com) to a malicious actor-controlled domain, triggering a fake certificate validation prompt.
“The system is redirected to a separate actor-controlled domain that likely displays a certificate validation error which prompts the target to download and execute ApolloShadow.”
If the target is not running with administrator privileges, ApolloShadow displays a User Account Control (UAC) prompt under the name CertificateDB.exe, disguised as a Kaspersky installer.
Once executed, ApolloShadow:
- Checks for administrative privileges
- Collects network and host information
- Base64-encodes it for stealthy exfiltration
- Spoofs Digicert domains for C2 communications
- Uses obfuscated VBScript payloads for persistence
“Due to the AiTM position of the actor, Secret Blizzard can use DNS manipulation to redirect legitimate-looking communication to the actor-controlled C2 and return an encoded VBScript as the second-stage payload.”
With elevated privileges, ApolloShadow alters host networks by:
- Setting all networks to Private, weakening firewall rules
- Using Component Object Model (COM) objects to enable File and Printer Sharing
- Writing root certificates to %TEMP% and installing them via certutil.exe
- Modifying Firefox settings to accept system-wide certificates using a script called wincert.js
“ApolloShadow uses string obfuscation in several places throughout the binary… decoded as they are used and then re-encoded after use to remove traces from memory.”
To ensure long-term access, the malware creates a new administrative user—UpdatusUser—with a hardcoded, non-expiring password.
“The final step is to create an administrative user with the username UpdatusUser and a hardcoded password… ApolloShadow has successfully installed itself on the infected host and has persistent access.”
Secret Blizzard, also known as VENOMOUS BEAR, Snake, or Turla, is attributed by CISA as part of Russia’s Federal Security Service (Center 16). Microsoft believes this operation is enabled by lawful intercept mechanisms such as SORM—Russia’s state surveillance system.
“This is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level.”
Related Posts:
- Moscow Hacker Arrested in Georgia, Faces U.S. Court for Cybercrimes
- AiTM Attacks Bypass MFA Despite Widespread Adoption
- Turla use backdoored Flash installer attacks against embassies in Eastern European countries
- APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
- MFA Bypass Alert: AitM Phishing Surges with Industrialized PhaaS Kits Targeting Microsoft 365 & Google Accounts!
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
