Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

Russia-linked Secret Blizzard targets foreign embassies in Moscow via ISP-level AitM attacks, deploying custom ApolloShadow malware.

Microsoft researchers uncovered a cyberespionage campaign by the Russia-linked APT group Secret Blizzard (aka Turla, Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON)  targeting foreign embassies in Moscow. The threat actor uses an adversary-in-the-middle (AiTM) method at the ISP level to deploy custom malware called ApolloShadow. This malware can install a fake Kaspersky Anti-Virus trusted root certificate, tricking devices into trusting malicious websites and allowing long-term access for cyber espionage operations. The campaign, active since at least 2024, poses a serious threat to diplomatic missions and sensitive organizations relying on local internet services.

“this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level.” reads the report published Microsoft. “This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within those services.”

Microsoft uncovered a cyberespionage campaign by the Secret Blizzard in February 2025. Victims were tricked into downloading ApolloShadow malware through a fake captive portal that mimicked a Windows connectivity check. Once installed, the malware prompted users to grant elevated privileges, allowing it to install root certificates, monitor traffic, and harvest credentials. This method allowed Secret Blizzard to spy on diplomatic targets by stripping secure connections and maintaining long-term access.

“Once the system opens the browser window to this address [hxxp://www.msftconnecttest[.]com/redirect], the system is redirected to a separate actor-controlled domain that likely displays a certificate validation error which prompts the target to download and execute ApolloShadow.” continues the report. “Following execution, ApolloShadow checks for the privilege level of the ProcessToken and if the device is not running on default administrative settings, then the malware displays the user access control (UAC) pop-up window to prompt the user to install certificates with the file name CertificateDB.exe, which masquerades as a Kaspersky installer to install root certificates and allow the actor to gain elevated privileges in the system.”

Secret Blizzard

The ApolloShadow malware adapts its execution based on privilege level. If privileges are low, it collects host IP data, encodes it, and sends it via a fake Digicert domain to its command-and-control server. The attacker responds with an obfuscated VBScript that’s executed to push a secondary payload. If elevated privileges are granted, ApolloShadow makes system-level changes: it sets networks to private to weaken firewall protections, enables file sharing, installs rogue root certificates (masquerading as a Kaspersky installer), and adds a hidden admin user with a hardcoded, non-expiring password maintain long-term control over the device.

Microsoft also published Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)