Microsoft reported that the hacker group Secret Blizzard (also known as Turla, Waterbug, and Venomous Bear) is targeting staff at foreign embassies in Moscow. The report states that the hackers allegedly use a MitM (Man-in-the-Middle) position within internet service providers’ networks and disguise their malware, ApolloShadow, as Kaspersky Lab’s antivirus.
Microsoft Threat Intelligence researchers report that they discovered this campaign in February 2025. However, it has been ongoing since at least 2024, with hackers using access to unnamed internet providers’ networks to direct targeted users to malicious websites, which at first glance appear to be well-known and trustworthy.
The main goal of the attackers is to trick the victim into executing a payload disguised as a Kaspersky Lab antivirus installer, which in reality is the ApolloShadow malware.
“As soon as the system opens the browser window to this address, it redirects to a separate domain controlled by the attacker. Most likely, a certificate verification error is displayed there, after which the victim is prompted to download and run ApolloShadow. Once launched, ApolloShadow checks the ProcessToken privilege level. If the device is not operating with default settings (without administrator rights), the malware will display a UAC popup to convince the user to install certificates from a file named CertificateDB.exe. This file is disguised as a Kaspersky installer, and it is needed to install root certificates and obtain elevated privileges in the system,” the company report states.
ApolloShadow installs a root certificate on the device, allowing Secret Blizzard to deceive the compromised system into recognizing malicious sites as legitimate. As a result, hackers gain the ability to maintain long-term access to the victim’s machine, collect data, and continue developing the attack further.
“This is the first instance where Microsoft can confirm the capability of Secret Blizzard to conduct espionage at the level of internet service providers, meaning that diplomatic personnel using local internet providers and telecommunications are at high risk and may become targets of Secret Blizzard’s AitM [Adversary-in-the-Middle] attacks,” states Microsoft.
At the same time, researchers told the media that they “have no understanding of the nature of the relationship between the attackers and the internet service providers.”
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →