Frozen in transit: Secret Blizzard's AiTM campaign against diplomats

Aug. 10, 2025, 8:45 p.m.

Description

Secret Blizzard, a Russian state actor, has been conducting a cyberespionage campaign targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy ApolloShadow malware. This campaign, ongoing since 2024, poses a high risk to diplomatic entities relying on local internet providers in Russia. The actor leverages an AiTM position at the ISP level to redirect target devices through a captive portal, installing root certificates under the guise of Kaspersky Anti-Virus. ApolloShadow has the capability to maintain persistence on diplomatic devices for intelligence collection. The malware alters host settings, installs certificates, and creates an administrative user for persistent access. Microsoft recommends routing all traffic through encrypted tunnels or using satellite-based providers to mitigate this threat.

External References

https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
https://otx.alienvault.com/pulse/6896279828d605067175b102
Tags
aitm
russia
cyberespionage
embassies
diplomats
2025-08-01
root certificates
apolloshadow
2025-08-08
isp

Date

  • Created: Aug. 8, 2025, 4:36 p.m.
  • Published: Aug. 8, 2025, 4:36 p.m.
  • Modified: Aug. 10, 2025, 8:45 p.m.

Indicators

  • 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
  • kav-certificates.info
Download all indicators here!

Attack Patterns

  • Secret Blizzard

Additional Informations

  • Government