[German]A brief update from this week. Microsoft has uncovered and publicly disclosed a campaign by the Russian cyber group Secret Blizzard. The state-sponsored group is using a man-in-the-middle position (AiTM) to deploy custom malware called ApolloShadow at embassies in Moscow for espionage purposes.
Advertising
Microsoft Threat Intelligence swrites that it has uncovered a cyber espionage campaign by the Russian state actor with the internal designation Secret Blizzard. This actor targets embassies in Moscow in its campaign and uses a man-in-the-middle position (AiTM) to deploy its custom-made ApolloShadow malware.
ApolloShadow installs a trusted root certificate on the target systems to trick devices into trusting malicious websites controlled by the attackers. This gives Secret Blizzard persistent access to diplomats' devices. Microsoft Threat Intelligence believes that the goal of the operation is likely to gather information.
Until now, based on vague assumptions, it was assumed that the actor was conducting cyber espionage activities against foreign and domestic institutions within Russian borders. Now, Microsoft has the first confirmation that the actor is also capable of infiltrating systems at the Internet service provider (ISP) level.
Therefore, diplomatic staff who use local Internet service providers or telecommunications services in Russia are highly likely to be targets of Secret Blizzard and have probably been infected with their devices. According to Microsoft, this campaign, which has been ongoing since 2024, poses a high risk to embassies and their staff, as well as sensitive groups operating in Moscow and using local Internet providers.
Advertising
Microsoft made the campaign public at the end of July 2025 in an article entitled Frozen in transit: Secret Blizzard's AiTM campaign against diplomats. The article also includes instructions on how organizations can protect themselves against this campaign, as well as indicators of compromise (IOCs) and details on detection.
Advertising
