A Russian state actor known as Secret Blizzard has been conducting a cyberespionage campaign targeting embassies in Moscow using an adversary-in-the-middle (AiTM) technique. The campaign involves deploying custom ApolloShadow malware to maintain persistence on diplomatic devices for intelligence collection. Secret Blizzard exploits its position at the Internet Service Provider level to redirect targets through captive portals, tricking them into downloading and executing the malware. ApolloShadow installs root certificates, alters network settings, and creates an administrative user for persistent access. The campaign poses a significant risk to foreign embassies and diplomatic entities operating in Moscow, particularly those relying on local internet providers. Author: AlienVault
Related Tags:
ApolloShadow
T1553.004
T1078.003
T1562.004
T1059.005
T1557
T1547.001
T1543.003
Russian Federation
Associated Indicators:
kav-certificates.info
45.61.149.109