Microsoft has uncovered a new cyber espionage campaign by the Russian state actor Secret Blizzard, which is targeting embassies located in Moscow.
The attacks are assisted by official Russian domestic intercept systems and involve the use of malicious files masquerading as Kaspersky anti-virus software.
“This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers,” the researchers wrote in a blog dated July 31.
Secret Blizzard is an advanced persistent threat (APT) group that US authorities have attributed to Russia’s Federal Security Service (FSB).
It targets ministries of foreign affairs, embassies, government offices and defense-related companies, using tactics such as AiTM and spear-phishing, leveraging in-house tools and malware.
In late 2024, Microsoft published a series of reports on Secret Blizzard, highlighting its use of other threat actors’ infrastructure and tools, including cybercriminals and other cyber espionage groups.
AiTM Enabled by Lawful Intercept
Microsoft first observed Secret Blizzard conducting the cyber espionage campaign against foreign embassies located in Moscow in February 2025.
It is the first time the threat actor has been observed conducting espionage activities against foreign and domestic entities at the Internet Service Provider (ISP) level.
The newly discovered campaign uses an adversary-in-the-middle (AiTM) position to deploy Secret Blizzard’s custom ApolloShadow malware, enabling the group to maintain persistence on diplomatic devices. AiTM is when an attacker positions themselves between two or more networks to support follow-on activity.
This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard within those services.
The researchers believe that Secret Blizzard’s AiTM position is likely facilitated by lawful intercept, such as Russia’s domestic intercept system the System for Operative Investigative Activities.
This enables the attacker to redirect target devices by putting them behind a captive portal.
Such systems are likely integral to enabling the group’s large-scale operations.
Once behind a captive portal, the Windows Test Connectivity Status Indicator is initiated, a legitimate service that determines whether a device has internet access by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect which should direct to msn[.]com.
When a target system opens the browser window to this address, it is redirected to a separate actor-controlled domain that likely displays a certificate validation error which prompts the target to download and execute ApolloShadow.
Following execution, this malware checks for the privilege level of the ProcessToken. If the device is not running on default administrative settings, ApolloShadow prompts the user to install certificates under a file that masquerades as a Kaspersky installer.
When launched, this file installs root certificates, enabling the actor to gain elevated privileges in the system.
This enables persistent access to the network, likely for intelligence collection.
When the process is executed with sufficient elevated privileges, ApolloShadow alters the host by setting all networks to Private. This induces several changes, allowing the host device to become discoverable and relaxing firewall rules to enable file sharing.
How Moscow-Based Embassies Can Protect Themselves
Microsoft has advised Moscow-based embassies to route all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN) service provider, to help protect against Secret Blizzard’s AiTM tactic.
Other recommendations include:
- Practice the principle of least privilege, and regularly audit privileged account activity in your environments
- Avoid the use of domain-wide, admin-level service accounts and restrict local administrative privileges
- Block executable files from running unless they meet a prevalence, age or trusted list criterion
- Block execution of potentially obfuscated scripts