Secret Blizzard Deploys Malware in ISP-Level AiTM Attacks on Moscow Embassies
Summary:
Microsoft Threat Intelligence has released a report uncovering a cyberespionage campaign by the Russian state-sponsored actor Secret Blizzard, also known by aliases such as Turla, Waterbug, and Venomous Bear. This campaign, active since at least 2024, targets foreign embassies in Moscow. The attackers utilize an Adversary-in-the-Middle (AiTM) position at the ISP or telecommunications level within Russian borders to deploy custom malware called ApolloShadow. This marks the first time Microsoft has confirmed Secret Blizzard's ability to perform these operations at the ISP level, a capability likely facilitated by Russia’s domestic intercept systems like SORM, making it integral to the scale of the operations.
Initial access for the AiTM attack works by redirecting targeted diplomatic devices to a fake captive portal. A captive portal is a legitimate web page designed to manage network access, such as those encountered when connecting to the internet at a hotel. Once behind this portal, the victim is redirected to a separate actor-controlled domain, which likely uses a certificate validation error to prompt the user to download and execute ApolloShadow, which masquerades as a Kaspersky Anti-Virus installer. The malware then installs seemingly benign root certificates, enabling the attackers to decrypt TLS/SSL traffic, maintain persistence as a new local admin user, and collect sensitive information. ApolloShadow also alters the host by setting all networks to private and modifies network settings to relax firewall rules and make the device discoverable, which could facilitate lateral movement within the network. They accomplish this either by directly setting firewall rules using COM objects or by modifying registry settings for NetworkProfiles: “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles”. This campaign poses a high risk to diplomatic and other sensitive organizations in Moscow, especially those using local internet providers. However, the defense measures outlined for this threat are broadly applicable to organizations in any region for reducing the risk of similar threats.
Security Officer Comments:
Secret Blizzard's shift to leveraging ISP-level access is a concerning development, which demonstrates a high degree of sophistication and exemplifies the significant advantages of conducting operations domestically. The use of lawful intercept systems like SORM is particularly notable in that respect, as it suggests state-sanctioned access to sensitive telecommunications infrastructure. The social engineering aspect of the attack, which tricks users into installing a malicious root certificate disguised as a legitimate AV software installer, is also integral to this activity. By masquerading as a Kaspersky Anti-Virus installer, the attackers capitalize on user trust in established security vendors and certificates to gain elevated privileges. The use of a captive portal as part of an initial access vector adds to the operation’s sophistication, as it leverages a common network behavior that users may not find suspicious. The post-compromise behavior of ApolloShadow, which alters firewall settings and enables discoverability, is a clear indicator of the actor's intent to not only collect information long-term but also to potentially stage the expansion of their access within a compromised network. This campaign highlights the unique challenges of operating in high-risk environments and underscores the importance of not relying on local network infrastructure for sensitive communications.
Suggested Corrections:
IOCs are available here.
Microsoft recommends that all customers, but especially sensitive organizations operating in Moscow, should implement the following recommendations to mitigate against Secret Blizzard activity.
https://thehackernews.com/2025/07/secret-blizzard-deploys-malware-in-isp.html
https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
Microsoft Threat Intelligence has released a report uncovering a cyberespionage campaign by the Russian state-sponsored actor Secret Blizzard, also known by aliases such as Turla, Waterbug, and Venomous Bear. This campaign, active since at least 2024, targets foreign embassies in Moscow. The attackers utilize an Adversary-in-the-Middle (AiTM) position at the ISP or telecommunications level within Russian borders to deploy custom malware called ApolloShadow. This marks the first time Microsoft has confirmed Secret Blizzard's ability to perform these operations at the ISP level, a capability likely facilitated by Russia’s domestic intercept systems like SORM, making it integral to the scale of the operations.
Initial access for the AiTM attack works by redirecting targeted diplomatic devices to a fake captive portal. A captive portal is a legitimate web page designed to manage network access, such as those encountered when connecting to the internet at a hotel. Once behind this portal, the victim is redirected to a separate actor-controlled domain, which likely uses a certificate validation error to prompt the user to download and execute ApolloShadow, which masquerades as a Kaspersky Anti-Virus installer. The malware then installs seemingly benign root certificates, enabling the attackers to decrypt TLS/SSL traffic, maintain persistence as a new local admin user, and collect sensitive information. ApolloShadow also alters the host by setting all networks to private and modifies network settings to relax firewall rules and make the device discoverable, which could facilitate lateral movement within the network. They accomplish this either by directly setting firewall rules using COM objects or by modifying registry settings for NetworkProfiles: “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles”. This campaign poses a high risk to diplomatic and other sensitive organizations in Moscow, especially those using local internet providers. However, the defense measures outlined for this threat are broadly applicable to organizations in any region for reducing the risk of similar threats.
Security Officer Comments:
Secret Blizzard's shift to leveraging ISP-level access is a concerning development, which demonstrates a high degree of sophistication and exemplifies the significant advantages of conducting operations domestically. The use of lawful intercept systems like SORM is particularly notable in that respect, as it suggests state-sanctioned access to sensitive telecommunications infrastructure. The social engineering aspect of the attack, which tricks users into installing a malicious root certificate disguised as a legitimate AV software installer, is also integral to this activity. By masquerading as a Kaspersky Anti-Virus installer, the attackers capitalize on user trust in established security vendors and certificates to gain elevated privileges. The use of a captive portal as part of an initial access vector adds to the operation’s sophistication, as it leverages a common network behavior that users may not find suspicious. The post-compromise behavior of ApolloShadow, which alters firewall settings and enables discoverability, is a clear indicator of the actor's intent to not only collect information long-term but also to potentially stage the expansion of their access within a compromised network. This campaign highlights the unique challenges of operating in high-risk environments and underscores the importance of not relying on local network infrastructure for sensitive communications.
Suggested Corrections:
IOCs are available here.
Microsoft recommends that all customers, but especially sensitive organizations operating in Moscow, should implement the following recommendations to mitigate against Secret Blizzard activity.
- Route all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN) service provider, such as a satellite-based provider, whose infrastructure is not controlled or influenced by outside parties.
- Practice the principle of least privilege, use multifactor authentication (MFA), and audit privileged account activity in your environments to slow and stop attackers. Avoid the use of domain-wide, admin-level service accounts and restrict local administrative privileges. These mitigation steps reduce the paths that attackers have available to them to accomplish their goals and lower the risk of the compromise spreading in your environment.
- Regularly review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Threat actors may add accounts to these groups to maintain persistence and disguise their activity.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
- Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
- Turn on attack surface reduction rules to prevent common attack techniques. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against common attack vectors.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block execution of potentially obfuscated scripts
https://thehackernews.com/2025/07/secret-blizzard-deploys-malware-in-isp.html
https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/