Microsoft Threat Intelligence has uncovered an advanced cyberespionage campaign by Russian state‑aligned actor Secret Blizzard (also known as Turla) targeting foreign embassies in Moscow using an ISP‑level adversary‑in‑the‑middle (AiTM) position to deploy its custom malware, ApolloShadow, effectively stripping TLS encryption from diplomatic devices. This marks a new level of intrusion leveraging state‑controlled telecom infrastructure-raising urgent cybersecurity concerns globally.
- Since February 2025, Secret Blizzard has been conducting an ongoing AiTM campaign against foreign diplomatic missions in Moscow, exploiting ISP-level control to intercept traffic and deliver ApolloShadow malware disguised as a Kaspersky AV certificate installer.
- This marks the first confirmed instance of an FSB-linked actor operating at the ISP level inside Russia, using legal intercept infrastructure like SORM to facilitate man‑in‑the‑middle positioning.
- The campaign has targeted embassies relying on local telecom services effectively rendering even encrypted browsing visible to the threat actor.
Technical Analysis: ApolloShadow Malware & Attack Chain
Deployment Mechanism
- Upon connecting to the internet, victims’ devices trigger a captive portal check (
msftconnecttest.com/redirect) that is hijacked to direct users to malicious domains. - Users are prompted to install
CertificateDB.exe, masquerading as a legitimate Kaspersky installer, which installs custom root certificates to intercept TLS traffic.
Malware Behavior
- The malware persists by installing root certificates and modifying network profiles to Private, relaxing firewall settings to enable lateral movement.
- Admin user account creation and registry changes reinforce attacker persistence. ApolloShadow also exfiltrates host configuration via encoded C2 communications.
MITRE ATT&CK Mapping & IoCs
| Phase | Technique | MITRE ID | Description |
|---|---|---|---|
| Initial Access | Adversary-in-the-Middle | T1557 | ISP‑level redirection via captive portal |
| Execution | User Execution | T1204 | ‘CertificateDB.exe’ installer prompts |
| Persistence | Create Account | T1136 | New local admin user |
| Defense Evasion | Root Certificate Manipulation | T1553.002 | Trusted cert install for TLS stripping |
| Exfiltration | Exfil via C2 over Web | T1041 | Network config encoded in GET query |
Indicators of Compromise (IoCs):
- Domain:
kav‑certificates[.]info - IP:
45.61.149.109 - SHA256:
13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 - Filename:
CertificateDB.exe
Expert Commentary
“This blurs the boundary between passive surveillance and actual intrusion,” says Sherrod DeGrippo, Microsoft’s Director of Threat Intelligence Strategy, describing how Secret Blizzard weaponized ISP infrastructure for espionage.(Reuters)
“It doesn’t leverage any zero‑day or software vulnerability… it’s about controlling the infrastructure,” DeGrippo added, highlighting the stealth and resilience of the AiTM approach.(WIRED)
MEA & Global Cybersecurity Context
While this campaign is geographically limited to Moscow-based diplomatic targets, the tactics pose a wider warning: state-aligned control of telecom infrastructure can be abused anywhere—especially where ISPs are obliged to intercept or monitor traffic. Security teams around MEA and globally told to assess highly trusted local networks or public infrastructure.
In comparison, other cyber espionage groups like Void Blizzard and Seashell Blizzard have leveraged more conventional methods such as spear phishing and backdoors to target NATO states since 2024.
Actionable Takeaways
- Enforce Encrypted Tunnels & VPN: Route traffic through encrypted, trusted networks to prevent interception.
- Use Alternative Internet Providers: Consider satellite-based or foreign ISPs for sensitive users in high-risk regions.
- Block Root Cert Installation: Harden endpoint policies to prevent unauthorized certificate trust stores.
- Enable MFA & Least Privilege: Enforce strict privilege models even if credentials are intercepted.
- Monitor Certutil Activity: Flag or block unexpected certificate utility usage at endpoints.
- Harden UAC Policies: Prevent unauthorized elevation prompts and block unknown executables.
- Audit Firewall & Network Profiles: Review changes to private network settings and discovery rules.
- Implement Threat Intelligence Feeds: Monitor IoC lists for domains, IPs, hashes.
- Onboard Zero Trust Architecture: Validate trust per session, not per location or network.
- Educate Diplomatic Staff: Train teams on captive portal phishing and adversary-in-the-middle risk.
Conclusion
Secret Blizzard’s novel use of ISP-level AiTM to deploy ApolloShadow underscores a shift in espionage tradecraft—away from exploiting software vulnerabilities and towards weaponizing infrastructure trust. For diplomatic and high-profile entities operating in adversarial environments, traditional cybersecurity measures are no longer sufficient. Organizations must adopt secure network routing, rigorous endpoint hardening, and zero-trust principles to reduce exposure to this emerging threat vector.
Sources
- Microsoft Security Blog: “Frozen in transit: Secret Blizzard’s AiTM campaign” (31 July 2025)(The Hacker News, Microsoft)
- Ars Technica: “Microsoft catches Russian hackers targeting foreign embassies” (31 July 2025)(Ars Technica)
- The Hacker News: “Secret Blizzard Deploys Malware in ISP‑Level AitM Attacks” (31 July 2025)(The Hacker News)
- Reuters: “Russia’s FSB targets foreign embassies in Moscow” (31 July 2025)(Reuters)
- Microsoft Threat Intelligence: Void Blizzard & Seashell Blizzard profiling (2025)(Microsoft)
