Hello, Guest!

Microsoft Identifies ApolloShadow Malware Used in Cyber Espionage

Europe, General News, North America, Technology
August 1, 2025August 1, 2025By Xavier Dolan
0
Stock photo representing software or digital system
Photo by whiteMocca / Shutterstock

Microsoft Threat Intelligence has confirmed that the Russian state-sponsored threat actor known as Secret Blizzard is conducting a cyber espionage campaign targeting foreign embassies operating in Moscow. Using an adversary-in-the-middle, or AiTM, position at the internet service provider level, the group has been deploying a custom malware known as ApolloShadow to gain persistent access to diplomatic devices and collect intelligence.

Microsoft said the campaign has been active since at least 2024 and poses a significant threat to diplomatic entities and organizations using local telco services.

ApolloShadow Malware Deployment

In this most recent campaign, Microsoft observed Secret Blizzard deploying the ApolloShadow malware through an AiTM setup, where the attacker is placed between the target and their intended network destination.

When a user connects, the malware intercepts communication meant for a Microsoft test server and instead pushes a fake Kaspersky Anti-Virus installer named “CertificateDB.exe.”

Once executed, the file checks if the user has administrative rights and, if not, prompts for elevated privileges. With access granted, the malware installs a malicious root certificate, allowing attackers to penetrate and spy on sensitive systems and networks.

The Potomac Officers Club’s 2025 Intel Summit on Oct. 2 will bring together the Intelligence Community’s top leaders to provide their insights into the challenges and opportunities facing the IC today and into the future. Book your slot now.

Defending Against Secret Blizzard

To help organizations defend against the threat, Microsoft recommends the following mitigation steps:

  • Use virtual private networks, preferably from satellite-based or foreign-controlled providers.
  • Enforce least-privilege access policies across all systems and avoid domain-wide administrative accounts. 
  • Routinely audit users with elevated rights.
  • Enable cloud-delivered protection in antivirus software to detect and block emerging malware variants quickly.
  • Turn on endpoint detection and response tools in block mode to automatically stop malicious behaviors.
     

Microsoft also shared several indicators of compromise tied to the campaign:

  • The malware’s domain is kav-certificates[.]info.
  • The associated IP address is 45.61.149[.]109.
  • The malware file is named CertificateDB.exe, disguised as a legitimate antivirus installer.
     

Secret Blizzard, attributed by the U.S. Cybersecurity and Infrastructure Security Agency as Center 16 of the Russian Federal Security Service, is also known by aliases such as VENOMOUS BEAR, Turla, Snake and Waterbug. Microsoft urges all organizations operating in Moscow to immediately improve protection and mitigate threats.

;