Russian Threat Actor Secret Blizzard's AiTM Campaign Targets Diplomats with ApolloShadow Malware

stclarke presents an in-depth look at Microsoft’s findings on the Russian state actor Secret Blizzard’s AiTM attack on diplomats in Moscow, revealing their use of ApolloShadow malware, attack flow, and practical security recommendations.

Russian Threat Actor Secret Blizzard’s AiTM Campaign Targets Diplomats with ApolloShadow Malware

Overview

Microsoft Threat Intelligence details an advanced cyberespionage effort led by Russian state-sponsored group Secret Blizzard. Through an adversary-in-the-middle (AiTM) approach, Secret Blizzard compromised diplomatic networks in Moscow using the custom malware ApolloShadow, which establishes persistent access by installing fraudulent root certificates.

Campaign Details

• Target: Foreign embassies and diplomatic entities operating in Moscow
• Attack Vector: AiTM via manipulation at ISP and telco infrastructure
• Malware: ApolloShadow, capable of root certificate installation to facilitate device trust bypass
• Persistence: Added an administrative user (UpdatusUser) and altered network/firewall configurations for ease of future access

Technical Walkthrough

Initial Access

• Secret Blizzard utilizes ISP-level AiTM to redirect victims into captive portals
• Windows Test Connectivity triggers HTTP GET requests, redirected to attacker domains via DNS manipulation

Infection Process

• Victims receive certificate errors and are prompted to run an executable, CertificateDB.exe, masquerading as a Kaspersky AV installer
• On execution, ApolloShadow checks for administrative privileges, prompting privilege escalation via User Account Control (UAC) if needed

Data Exfiltration & Second Stage

• Collects IP/network info, double Base64-encoded and sent to a malicious C2 endpoint
• A VBScript payload is retrieved and executed to continue the compromise chain

Privilege Escalation & Persistence

• Low privilege path: Collects host/network info, delivers scripts
• High privilege path:
  • Alters Windows registry to set all networks to ‘Private’
  • Enables specific firewall rules to relax host segmentation
  • Installs rogue root certificates (including for Firefox)
  • Creates a permanent admin user with a non-expiring password

Technical Indicators

• Obfuscated strings and process flows
• Use of legitimate system utilities (certutil, NetUserAdd) for malicious purposes
• Communication with C2 via DNS/Digicert endpoint redirection

Recommendations for Defense

Microsoft’s blog offers actionable defense steps:

• Use encrypted tunnels (VPN, satellite networks) to shield traffic from local ISP monitoring
• Principle of Least Privilege: Restrict admin and privileged accounts
• Enable MFA (multi-factor authentication) and audit privileged group membership
• Activate cloud-delivered protection in Defender Antivirus
• Turn on EDR in block mode for real-time remediation
• Apply Attack Surface Reduction (ASR) rules and policies to block executables and scripts

Defender XDR Detections

• Look for:
  • Secret Blizzard activity alerts
  • Suspicious root certificate and certutil activity
  • Unknown admin users created
  • Scripts with anomalous content
• Example Kusto Query:

let CaptiveRedirectEvents = DeviceNetworkEvents | where RemoteUrl contains "msftconnecttest.com/redirect" | project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl;
let FileDownloadEvents = DeviceFileEvents | where ActionType == "FileDownloaded" | project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath;
CaptiveRedirectEvents | join kind=inner (FileDownloadEvents) on DeviceId | where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m)) | project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath

Threat Intelligence & Further Reading

• Full original blog
• Microsoft Defender Threat Intelligence Actor Profile: Secret Blizzard
• US CISA attribution
• Microsoft Security Copilot and Defender resources

---

Key Takeaways

• Russian threat group Secret Blizzard is leveraging ISP-level AiTM attacks in Russia
• Custom malware (ApolloShadow) performs root certificate injection, privilege escalation, and persistent backdoor
• Microsoft recommends comprehensive defense-in-depth—including Defender XDR, privilege control, and encrypted traffic routing
• Defender customers can leverage hunting queries and built-in detections for proactive monitoring

Author

stclarke

This post appeared first on “Microsoft News”. Read the entire article here