{"id":59103,"date":"2025-07-31T16:00:00","date_gmt":"2025-07-31T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=141542"},"modified":"2025-07-31T16:00:00","modified_gmt":"2025-07-31T16:00:00","slug":"frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats\/","title":{"rendered":"Frozen in transit: Secret Blizzard\u2019s AiTM campaign against diplomats"},"content":{"rendered":"

Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.<\/p>\n

While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level. This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard\u2019s AiTM position within those services. In our previous blog<\/a>, we reported the actor likely leverages Russia\u2019s domestic intercept systems such as the System for Operative Investigative Activities<\/a> (SORM), which we assess may be integral in facilitating the actor\u2019s current AiTM activity, judging from the large-scale nature of these operations.<\/p>\n

This blog provides guidance on how organizations can protect against Secret Blizzard\u2019s AiTM ApolloShadow campaign, including forcing or routing all traffic through an encrypted tunnel to a trusted network or using an alternative provider\u2014such as a satellite-based connection\u2014hosted within a country that does not control or influence the provider\u2019s infrastructure. The blog also provides additional information on network defense, such as recommendations, indicators of compromise (IOCs), and detection details.<\/p>\n

Secret Blizzard is attributed<\/a> by the United States Cybersecurity and Infrastructure Agency (CISA) as Russian Federal Security Service (Center 16). Secret Blizzard further overlaps with threat actors tracked by other security vendors<\/a> by names such as VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.<\/p>\n

As part of our continuous monitoring, analysis, and reporting of the threat landscape, we are sharing our observations on Secret Blizzard\u2019s latest activity to raise awareness of this actor\u2019s tradecraft and educate organizations on how to harden their attack surface against this and similar activity. Although this activity poses a high risk to entities within Russia, the defense measures included in this blog are broadly applicable and can help organizations in any region reduce their risk from similar threats. Microsoft is also tracking other groups using similar techniques, including those documented by ESET in a previous publication<\/a>.<\/p>\n

AiTM and ApolloShadow deployment<\/h2>\n

In February 2025, Microsoft Threat Intelligence observed Secret Blizzard conducting a cyberespionage campaign against foreign embassies located in Moscow, Russia, using an AiTM position to deploy the ApolloShadow malware to maintain persistence and collect intelligence from diplomatic entities. An adversary-in-the-middle<\/a> technique is when an adversary positions themself between two or more networks to support follow-on activity. The Secret Blizzard AiTM position is likely facilitated by lawful intercept and notably includes the installation of root certificates under the guise of Kaspersky Anti-Virus (AV). We assess this allows for TLS\/SSL stripping from the Secret Blizzard AiTM position, rendering the majority of the target\u2019s browsing in clear text including the delivery of certain tokens and credentials. Secret Blizzard has exhibited similar techniques in past cyberespionage campaigns<\/a> to infect foreign ministries in Eastern Europe by tricking users to download a trojanized Flash installer from an AiTM position.<\/p>\n

Initial access    <\/h3>\n

In this most recent campaign, the initial access mechanism used by Secret Blizzard is facilitated by an AiTM position at the ISP\/Telco level inside Russia, in which the actor redirects target devices by putting them behind a captive portal. Captive portals are legitimate web pages designed to manage network access, such as those encountered when connecting to the internet at a hotel or airport. Once behind a captive portal, the Windows Test Connectivity Status Indicator<\/a> is initiated\u2014a legitimate service that determines whether a device has internet access by sending an HTTP GET request to hxxp:\/\/www.msftconnecttest[.]<\/em>com\/redirect<\/em> which should direct to msn[.]com<\/em>.  <\/p>\n

Delivery and installation<\/h3>\n

Once the system opens the browser window to this address, the system is redirected to a separate actor-controlled domain that likely displays a certificate validation error which prompts the target to download and execute ApolloShadow. Following execution, ApolloShadow checks for the privilege level of the ProcessToken<\/em> and if the device is not running on default administrative settings, then the malware displays the user access control (UAC) pop-up window to prompt the user to install certificates with the file name CertificateDB.exe<\/em>, which masquerades as a Kaspersky installer to install root certificates and allow the actor to gain elevated privileges in the system.<\/p>\n

\"The
Figure 1. Secret Blizzard AiTM infection chain<\/em><\/figcaption><\/figure>\n

ApolloShadow malware<\/h3>\n

ApolloShadow uses two execution paths depending on the privilege level of the running process. The token of the running process is retrieved using the API GetTokenInformationType<\/em> and the value of TokenInformation<\/em> is checked to see if the token contains the TokenElevationTypeFull<\/em>type. <\/strong>If it does not have that privilege level, ApolloShadow executes a low privilege execution path.<\/strong><\/p>\n

\"Diagram
Figure 2. ApolloShadow execution flow<\/em><\/figcaption><\/figure>\n

Low privilege execution<\/h2>\n

When executing the low privilege path, the first action is to collect information about the host to send back to the AiTM controlled command and control (C2). First, the host\u2019s IP information is collected using the API GetIpAddrTable<\/em>, which collects information from the IpAddrTable<\/em>. Each entry is individually Base64-encoded and delineated by a pipe character with \\r\\n<\/em> appended, then combined into one string. For example:<\/p>\n