A Russian government-aligned threat group, tracked as Secret Blizzard, has been tied to a covert cyber operation aimed at foreign diplomatic missions in Moscow. The group is leveraging ISP-level adversary-in-the-middle (AitM) access to redirect embassy traffic and deliver a custom implant named ApolloShadow.
According to researchers, ApolloShadow tampers with system trust by installing a fake root certificate, allowing attacker-owned sites to appear legitimate. The implant lets the attackers persist on embassy devices—likely enabling long-term data collection efforts.
The group, which has also been identified as Turla, Snake, Venomous Bear, and others, is believed to be associated with Russia’s FSB. Its recent activity shows signs of ongoing targeting since at least early 2024.
Earlier, in 2024, Microsoft and Lumen’s Black Lotus Labs uncovered that Secret Blizzard had hijacked C2 infrastructure linked to a Pakistani threat actor, an apparent move to muddle attribution. In some cases, the group also reused payload delivery channels from other malware families to drop its Kazuar backdoor, including on systems in Ukraine.
In the latest campaign, embassy devices connecting via Russian telecom networks are silently redirected to attacker-controlled infrastructure using a spoofed captive portal. When a Windows device attempts a routine internet check via msftconnecttest[.]com, the attacker hijacks the request and serves a fake certificate warning. Victims are prompted to download ApolloShadow under the guise of a legitimate connection fix.
Post-infection, the malware collects host info, executes CertificateDB.exe if admin rights are missing, and pulls a secondary Visual Basic payload. If access elevation is required, a fake UAC prompt appears, requesting user permission.
Once running with high privileges, ApolloShadow modifies registry settings to mark networks as private, reduces firewall restrictions, and creates a new admin account (UpdatusUser) with hardcoded credentials for persistence.
The malware completes setup by using certutil to install two root certificates and drops a file (wincert.js) that enables Firefox to trust these certs, extending the attacker’s foothold across browsers.
Microsoft’s report suggests the initial AitM access may have been enabled through lawful intercept channels and disguised as part of a Kaspersky antivirus update process.
To defend against this threat, diplomatic missions are advised to audit privileged access regularly, enforce strong segmentation policies, and route all network traffic through encrypted VPN tunnels.
