ICS Labs Outbreak Alert - Secret Blizzard

Microsoft Threat Intelligence has uncovered a cyber espionage campaign by an actor tracked as Secret Blizzard, targeting embassies located in Moscow by leveraging an adversary-in-the-middle (AiTM) position to deploy its own customized malware, ApolloShadow. Recently, it was confirmed that the actor is capable of conducting cyber espionage at the Internet Service Provider (ISP) level. The activities carried out by Secret Blizzard overlap with those attributed to VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.

The ApolloShadow malware operates by placing itself in a position to install fake root certificates, disguised as Kaspersky Anti-Virus. The primary method involves using legitimate captive portals but with illegitimate redirection, tricking the user into installing the malware. Once installed, it can create an administrator account on the infected host and maintain persistent access.

Indicators of Compromise (IOCs)

• kav-certificates[.]info – a domain used by the actor to download the malware.

• 45.61.149[.]109 – IP address controlled by the actor.

• 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 SHA256 hash of the malware.

• CertificateDB.exe – file name associated with ApolloShadow.

  
  

Latest Updates

• January 9, 2018 – WeLiveSecurity posts about a cyber espionage group named Turla, operating through backdoors and man-in-the-middle attacks.

• May 9, 2023 – CISA publishes information on a tool called “Snake” developed by the group “Uroburos.”

• July 31, 2025 – Microsoft Threat Intelligence reports on Secret Blizzard.