Snowblind: The Invisible Hand of Secret Blizzard

Description

A Russian-based threat actor, Secret Blizzard, has infiltrated 33 command-and-control nodes of a Pakistani-based actor, Storm-0156. Over two years, Secret Blizzard leveraged this access to deploy malware into Afghan government networks and potentially acquired data from Pakistani operators' workstations. They expanded their focus to include two other malware families, Waiscot and CrimsonRAT, used against Indian targets. The campaign demonstrates Secret Blizzard's meticulous approach to expanding operations in the Middle East, exploiting other actors' infrastructure to avoid attribution and gain sensitive information. This strategy allows them to remotely acquire data without exposing their own tools, taking advantage of the foothold created by the original threat actor.