Contact

Frozen in transit: Secret Blizzard's AiTM campaign against diplomats

NetmanageIT OpenCTI - opencti.netmanageit.com

Frozen in transit: Secret Blizzard's AiTM campaign against diplomats



SUMMARY :

Secret Blizzard, a Russian state actor, has been conducting a cyberespionage campaign targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy ApolloShadow malware. This campaign, ongoing since 2024, poses a high risk to diplomatic entities relying on local internet providers in Russia. The actor leverages an AiTM position at the ISP level to redirect target devices through a captive portal, installing root certificates under the guise of Kaspersky Anti-Virus. ApolloShadow has the capability to maintain persistence on diplomatic devices for intelligence collection. The malware alters host settings, installs certificates, and creates an administrative user for persistent access. Microsoft recommends routing all traffic through encrypted tunnels or using satellite-based providers to mitigate this threat.

OPENCTI LABELS :

russia,cyberespionage,aitm,embassies,diplomats,root certificates,apolloshadow,isp


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Frozen in transit: Secret Blizzard's AiTM campaign against diplomats