By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: Secret Blizzard Deploys Malware in ISP-Level AitM Attacks on Moscow Embassies
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > Secret Blizzard Deploys Malware in ISP-Level AitM Attacks on Moscow Embassies
Computing

Secret Blizzard Deploys Malware in ISP-Level AitM Attacks on Moscow Embassies

News Room
Last updated: 2025/07/31 at 2:24 PM
News Room Published 31 July 2025
Share
SHARE

Jul 31, 2025Ravie LakshmananCyber Espionage / Network Security

The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle (AitM) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow.

“ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection,” the Microsoft Threat Intelligence team said in a report shared with The Hacker News.

The activity is assessed to be ongoing since at least 2024, with the campaign posing a security risk to diplomatic personnel relying on local ISPs or telecommunications services in Russia.

Secret Blizzard (formerly Krypton), affiliated with the Russian Federal Security Service, is also tracked by the broader cybersecurity community under the monikers Blue Python, Iron Hunter, Pensive Ursa, Snake, SUMMIT, Uroburos, Turla, Venomous Bear, and Waterbug.

Cybersecurity

In December 2024, Microsoft and Lumen Technologies Black Lotus Labs disclosed the hacking group’s use of a Pakistan-based threat actor’s command-and-control (C2) infrastructure to carry out its own attacks as a way to cloud attribution efforts.

The adversary has also been observed piggybacking on malware associated with other threat actors to deliver its Kazuar backdoor on target devices located in Ukraine.

The Windows maker noted that the AitM position is likely facilitated by lawful intercept and includes the installation of root certificates under the guise of Kaspersky antivirus to obtain elevated access to the system.

Initial access is achieved by redirecting target devices to threat actor-controlled infrastructure by putting them behind a captive portal, leading to the download and execution of the ApolloShadow malware.

“Once behind a captive portal, the Windows Test Connectivity Status Indicator is initiated—a legitimate service that determines whether a device has internet access by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect, which should direct to msn[.]com,” Microsoft said.

“Once the system opens the browser window to this address, the system is redirected to a separate actor-controlled domain that likely displays a certificate validation error, which prompts the target to download and execute ApolloShadow.”

The malware then beacons host information to the C2 server and runs a binary called CertificateDB.exe should the device not be running on default administrative settings, and retrieves as a second-stage payload an unknown Visual Basic Script.

In the last step, the ApolloShadow process launches itself again and presents the user with a user access control (UAC) pop-up window and instructs them to grant it the highest privileges available to the user.

Cybersecurity

ApolloShadow’s execution path varies if the running process is already running with sufficient elevated privileges, abusing them to set all networks to Private via registry profile changes and create an administrative user with the username UpdatusUser and a hard-coded password, allowing persistent access to the machine.

“This induces several changes, including allowing the host device to become discoverable, and relaxing firewall rules to enable file sharing,” the company said. “While we did not see any direct attempts for lateral movement, the main reason for these modifications is likely to reduce the difficulty of lateral movement on the network.”

Once this step is successfully completed, victims are displayed a window showing that the deployment of the digital certificates is in progress, causing two root certificates to be installed on the machine using the certutil utility. Also dropped is a file called “wincert.js” that allows Mozilla Firefox to trust the root certificates.

To defend against Secret Blizzard activity, diplomatic entities operating in Moscow are urged to implement the principle of least privilege (PoLP), periodically review privileged groups, and route all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN) service provider.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Parents being pressured into upgrading to faster broadband by kids as young as 5
Next Article Best cheap phones in 2025 reviewed and rated | Stuff
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Vivobarefoot’s Sensus Shoes Are Like Gloves for Your Feet
Gadget
Create Your Own Ethereum NFT Explorer Using NextJS | HackerNoon
Computing
Hot deal: Amazon slashes $450 off the Samsung Galaxy S24 Ultra
News
Apple Warns Investors About Risk of Massive Deal With Google Ending
News

You Might also Like

Computing

Create Your Own Ethereum NFT Explorer Using NextJS | HackerNoon

55 Min Read
Computing

Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts

6 Min Read
Computing

China’s micro-dramas: packed with cliffhangers, seemingly profitable but it’s not · TechNode

8 Min Read
Computing

The TechBeat: 10 Gaps That Undermine Your Cybersecurity Framework (And How to Close Them) (8/1/2025) | HackerNoon

5 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?