Microsoft warns that a cyber-espionage group linked to Russia's Federal Security Service (FSB) is targeting diplomatic missions in Moscow using local internet service providers.
The hacking group tracked by Microsoft as Secret Blizzard (also known as Turla, Waterbug, and Venomous Bear) has been observed exploiting its adversary-in-the-middle (AiTM) position at the internet service provider (ISP) level to infect the systems of diplomatic missions with custom ApolloShadow malware.
To do this, they redirect targets to captive portals, tricking them into downloading and executing a malware payload disguised as a Kaspersky antivirus installer.
Once deployed, ApolloShadow installs a trusted root certificate disguised as Kaspersky Anti-Virus, which helps trick compromised devices into recognizing malicious websites as legitimate, allowing threat actors to maintain long-term access for intelligence gathering after infiltrating diplomatic systems.
"This is the first time Microsoft can confirm Secret Blizzard's capability to conduct espionage at the ISP level, meaning diplomatic personnel using local internet providers and telecommunications in Russia are at high risk of being targets of Secret Blizzard's AiTM position within those services," Microsoft said.
"This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers."
While Microsoft first detected the attacks in February 2025, the company believes this cyber-espionage campaign has been active since at least 2024.
Secret Blizzard infection chain (Microsoft)
Secret Blizzard hackers are also taking advantage of Russia's domestic interception systems, including the System for Operative Investigative Activities (SORM), to carry out their large-scale AiTM campaigns.
Unorthodox cyberspies focused on high-profile targets
... continue reading