Microsoft Threat Intelligence researchers have uncovered a sophisticated cyber espionage campaign targeting foreign diplomatic personnel in Moscow. The Secret Blizzard APT group, also known as Turla, Waterbug, and Venomous Bear, has developed an innovative attack vector that leverages compromised internet service providers to distribute malware disguised as legitimate Kaspersky antivirus software.
ISP Infrastructure Compromise Enables Man-in-the-Middle Attacks
The campaign, first detected in February 2025 but active since 2024, demonstrates the group’s ability to compromise ISP network infrastructure and conduct adversary-in-the-middle (AitM) attacks. By gaining privileged access to unidentified internet service providers, Secret Blizzard can intercept and manipulate network traffic targeting specific diplomatic entities.
The attack methodology involves redirecting targeted users to malicious websites that meticulously mimic trusted platforms. This traffic manipulation creates a false sense of security while positioning attackers to deliver their payload through what appears to be legitimate software distribution channels.
ApolloShadow Malware Masquerades as Kaspersky Installation
At the core of this operation lies ApolloShadow malware, distributed through a convincing fake Kaspersky antivirus installer. When victims are redirected to attacker-controlled domains, they encounter simulated certificate verification errors that prompt them to download the malicious installer as a “security solution.”
Upon execution, ApolloShadow performs sophisticated system analysis by examining ProcessToken privilege levels. If the target system doesn’t operate with default administrator rights, the malware triggers User Account Control (UAC) prompts to escalate privileges, mimicking legitimate software behavior that users typically trust.
Root Certificate Installation for Persistent Access
The malware employs a component called CertificateDB.exe, cleverly disguised as a Kaspersky antivirus module, to install root certificates on compromised systems. This technique represents one of the most concerning aspects of the attack, as it grants attackers the ability to establish long-term covert access while bypassing standard security validations.
By installing malicious root certificates, Secret Blizzard can effectively convince compromised systems to treat their malicious web resources as legitimate and secure. This approach enables sustained surveillance capabilities and data exfiltration while remaining largely undetected by conventional security measures.
Unprecedented Threat to Diplomatic Communications
This campaign poses exceptional risks to diplomatic personnel who rely on local telecommunications infrastructure and internet services. Microsoft emphasizes that this represents the first documented evidence of Secret Blizzard’s capability to conduct espionage operations at the ISP level, marking a significant escalation in the group’s operational sophistication.
The implications for diplomatic security are severe, as AitM attacks can intercept sensitive communications, compromise classified information, and potentially expose state secrets. The targeting of diplomatic missions suggests state-sponsored objectives aimed at gathering intelligence on foreign government activities and personnel.
Unknown ISP Collaboration Raises Security Concerns
Microsoft researchers noted that the exact nature of the relationship between Secret Blizzard and the compromised internet service providers remains unclear. This uncertainty raises critical questions about the extent of telecommunications infrastructure compromise and whether ISPs were unwilling victims or potential collaborators in these operations.
The discovery underscores the urgent need for enhanced cybersecurity measures within diplomatic missions operating in high-risk environments. Organizations must implement comprehensive defense strategies including certificate validation protocols, network traffic monitoring, and regular security awareness training. As APT groups continue evolving their tactics to exploit infrastructure-level vulnerabilities, diplomatic entities must adopt zero-trust security models and maintain heightened vigilance against sophisticated social engineering attacks masquerading as legitimate software updates.
