Secret Blizzard Attack Detection: russia-Backed APT Targets Foreign Embassies in Moscow With ApolloShadow Malware

russia-affiliated hacking groups remain a major global threat, continuously adapting their tactics to serve Moscow’s geopolitical interests. As international tensions escalate, these government-linked actors are expanding their focus, targeting high-profile organizations worldwide. In its latest report, the Microsoft Threat Intelligence team highlights recent activity from Secret Blizzard (aka Turla, UAC-0024), which is now targeting foreign embassies in Moscow. Using an adversary-in-the-middle (AiTM) technique at the ISP level, the group has been observed deploying its custom ApolloShadow malware to conduct cyber espionage.

Detect Secret Blizzard Activity Using ApolloShadow Malware

According to the ESET APT Activity Report for Q4 2024–Q1 2025, russia-linked actors rank second in the number of APT attack sources worldwide. In 2025, groups connected to russian intelligence agencies like the SVR and GRU have been actively targeting Ukraine and the EU, focusing on critical infrastructure, government institutions, and research organizations. With many organizations around the globe at risk, staying ahead of threats like the recent cyber-espionage campaign by Secret Blizzard is crucial.

Register for the SOC Prime Platform to detect potential russian APT attacks at the earliest stage possible. The Platform delivers timely threat intelligence and actionable detection content, backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Click the Explore Detections button below to access a curated stack of detection rules designed to identify and respond to the most recent Secret Blizzard cyber espionage campaign using ApolloShadow malware.

Explore Detections

Alternatively, cyber defenders might search for relevant detection content right in the Threat Detection Marketplace by using “Secret Blizzard” or “ApolloShadow” tags. 

All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.

Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, security professionals can use Microsoft’s most recent research on Secret Blizzard activity research to generate an Attack Flow diagram in several clicks.

Uncoder AI_Secret Blizzard_ApolloShadow

Secret Blizzard Activity Analysis: Cyber Espionage Campaign Using ApolloShadow Malware

A recent analysis by the Microsoft Threat Intelligence team reveals a sophisticated cyber espionage operation aimed at foreign embassies in Moscow. The attackers leveraged an adversary-in-the-middle (AiTM) technique at the ISP (Internet Service Provider) level to deliver a malware strain identified as ApolloShadow. Evidence suggests this malicious activity has been active since at least 2024, posing ongoing security risks to diplomatic staff dependent on russian telecom infrastructure.

This targeted campaign has been attributed to Secret Blizzard, a russian APT group with known affiliations to the Federal Security Service (FSB). Widely tracked under various aliases, including Turla, Waterbug, Venomous Bear, Snake, Iron Hunter, and Krypton, Secret Blizzard is recognized for conducting cyber operations against high-value targets such as government agencies, military entities, and diplomatic institutions. The group employs a mix of custom-built malware and specialized reconnaissance tools. According to CISA, Secret Blizzard has direct ties to Center 16 of the FSB, further underscoring the strategic nature of its cyber activities.

In the latest attacks against embassies, Secret Blizzard gains initial access by hijacking the victim’s internet connection through a spoofed captive portal. When a device checks internet connectivity via a legitimate Windows service, it is silently redirected to a threat actor-controlled domain that mimics Microsoft’s test page. This redirection initiates the download of ApolloShadow malware, disguised as a required system update.

Once deployed, ApolloShadow tricks users into granting elevated privileges by prompting a User Account Control (UAC) pop-up. It masquerades as a Kaspersky installer (CertificateDB.exe) to install rogue root certificates. This enables the attacker to intercept secure communications and maintain covert, long-term access to the system.

ApolloShadow installs malicious root certificates using Windows certutil, and deploys a secondary script (“wincert.js”) to ensure Mozilla Firefox also trusts the fake certificates. This setup allows attackers to decrypt and monitor encrypted traffic, capturing sensitive data without raising immediate alarms.

If ApolloShadow detects administrative privileges, it modifies system registry settings to classify networks as private, relaxes firewall rules, and adds a hidden admin account (“UpdatusUser”) with a hard-coded password. These steps enable persistent access and reduce barriers to potential lateral movement within the victim’s network.

The increasing attacks by Secret Blizzard against diplomatic entities, combined with the group’s sophisticated evasion, demand swift and proactive responses from defenders. SOC Prime Platform equips security teams with cutting-edge solutions to elevate threat detection and hunting capabilities, significantly reduce the attack surface, and build a robust cybersecurity posture. 

The post Secret Blizzard Attack Detection: russia-Backed APT Targets Foreign Embassies in Moscow With ApolloShadow Malware appeared first on SOC Prime.