Russian State Actor Deploys ApolloShadow in Embassy Espionage Campaign

A cyberespionage campaign conducted by the Russian state-aligned threat group Secret Blizzard (also known as Turla, Venomous Bear, and Waterbug) has been observed targeting foreign embassies in Moscow using adversary-in-the-middle (AiTM) techniques and custom malware, ApolloShadow. The campaign tracked since early 2024, Secret Blizzard is associated with Russia's Federal Security Service (FSB), specifically Center 16. According to Microsoft, the group has exploited its likely lawful intercept access at the ISP level to compromise diplomatic targets. “The Secret Blizzard AiTM position is likely facilitated by lawful intercept and notably includes the installation of root certificates under the guise of Kaspersky Anti-Virus (AV). We assess this allows for TLS/SSL stripping from the Secret Blizzard AiTM position, rendering the majority of the target’s browsing in clear text including the delivery of certain tokens and credentials,” Microsoft reports. The campaign represents a high-risk operation within Russian territory, with Microsoft's advisory noting that “diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets.” Though geographically specific, Microsoft stresses the applicability of its defensive guidance to entities outside of Russia.

The campaign leverages AiTM positions to redirect victims to a captive portal, intercepting traffic intended for legitimate services. Microsoft reports that this mechanism reroutes traffic meant for "msftconnecttest[.]com/redirect" to an actor-controlled domain. Once redirected, the target receives a prompt, often triggered by a certificate validation error—to download and execute a file masquerading as a legitimate installer, "CertificateDB.exe." Upon execution, this file deploys the ApolloShadow malware. ApolloShadow first checks the token privilege level via the "ProcessToken" API to determine its execution path. In low-privilege scenarios, the malware collects host IP data using "GetIpAddrTable" and encodes it before exfiltration via a crafted GET request to a spoofed Digicert subdomain. The response includes a secondary stage payload, a VBScript that ApolloShadow writes to disk using a decoded filename (e.g., "edgB4ACD.vbs") in the user’s temp directory and executes using "wscript" through a "CreateProcessW" call.

If the target grants elevated privileges via a User Account Control (UAC) prompt initiated by "ShellExecuteA," ApolloShadow executes its high-privilege routine. This path alters system-level configurations to ensure long-term access and reduce friction for lateral movement. One modification involves switching all network profiles to private using registry edits under "SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" by setting the "Category" field to 0. Simultaneously, the malware uses Component Object Model (COM) objects to enable specific firewall rules. Strings decoded in memory create commands that activate rule groups such as “Network Discovery” and “File and Printer Sharing.”

To cement its presence, ApolloShadow writes two malicious root certificates to the "%TEMP%" directory, installing them using "certutil.exe" with the "-addstore" flag. One certificate is added to the root store and the other to the enterprise certificate store. The malware deletes these temporary certificate files after installation. Recognizing that Firefox does not honor the system certificate store by default, ApolloShadow also modifies Firefox's local preferences by writing "wincert.js" to enable "security.enterprise_roots.enabled." This ensures the browser will trust the rogue certificates. The last operation in the chain is the creation of a persistent local administrator account. The account name "UpdatusUser" is hardcoded, with a password that is set never to expire. This account is created through the Windows API "NetUserAdd," ensuring continued administrative access to the compromised machine even if the original infection vector is removed.

Microsoft advises that entities, particularly those operating within Russia to route traffic through encrypted VPN tunnels to trusted networks or use providers based outside the control of local infrastructure. This mitigates the risk of AiTM interception. Additional defensive recommendations include enforcing least privilege principles, auditing privileged accounts, and removing unnecessary local administrator permissions. Microsoft also recommends enabling features like attack surface reduction rules, running endpoint detection in block mode, and applying behavioral blocking. These layered mitigations help reduce exposure to persistence techniques like those used by ApolloShadow and prevent credential exfiltration or unauthorized configuration changes. Microsoft emphasizes that while this campaign targets diplomatic missions in Russia, the technical tradecraft and infection chain are relevant for any organization seeking to bolster defenses against advanced AiTM enabled threats.