ApolloShadow
ApolloShadow is a custom malware used in a cyberespionage campaign attributed by Microsoft Threat Intelligence to the Russian state-backed group Secret Blizzard, also known as Turla, Venomous Bear, Uroburos, Waterbug, Pensive Ursa, Wraith, and ATG26, and linked in the reporting to Russia’s FSB Center 16. Public reporting states the campaign targeted foreign embassies in Moscow and had been active since at least 2024. The malware was delivered via ISP- or telco-level adversary-in-the-middle operations in which targets were redirected through a captive portal flow and tricked into downloading a fake certificate installer, including Kaspersky-branded lures such as CertificateDB.exe. ApolloShadow installs a rogue or trusted root certificate on the victim system, causing malicious sites and traffic to appear legitimate and enabling interception, manipulation, and in some reporting TLS/SSL stripping of encrypted web traffic. Reported host actions include attempting privilege escalation, presenting a UAC prompt, changing network profiles to private, weakening or modifying firewall settings to enable file sharing and network discovery, and creating a persistent local administrative account named UpdatusUser with a hardcoded non-expiring password using NetUserAdd. Microsoft assessed these changes likely facilitate persistent access and reduce the difficulty of later lateral movement within embassy networks. Reported exposed data includes browsing activity in clear text as well as certain tokens and credentials. High-confidence indicators and artifacts directly mentioned in the content include the filenames CertificateDB.exe and the account name UpdatusUser, as well as abuse of the Windows connectivity check to redirect traffic from msftconnecttest.com/redirect toward actor-controlled infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
2025-07-31 ⋅ Microsoft Threat Intelligence Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats ApolloShadow
"The attack starts with a captive portal redirect that tricks targets into downloading ApolloShadow malware disguised as a Kaspersky certificate installer."
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueSecret Blizzard is gaining initial access to embassy employee devices by redirecting them to a malicious domain that displays a certificate validation error... The error prompts and tricks embassy employees into downloading root certificates falsely branded as Kaspersky Anti-Virus software, which deploy ApolloShadow malware.
Execution
1 techniqueOnce the system opens the browser window to this address, the system is redirected to a separate actor-controlled domain that likely displays a certificate validation error which prompts the target to download and execute ApolloShadow.
Persistence
4 techniquesFinally, ApolloShadow creates an administrative user with the username UpdatusUser and a hardcoded password, set to never expire, on the compromised system using the Windows API NetUserAdd. The malware now has persistent access to the infected host via the newly created local admin user.
The final step is to create an administrative user with the username UpdatusUser and a never-expiring hardcoded password on the infected system, using the Windows API NetUserAdd.
Finally, ApolloShadow creates an administrative user with the username UpdatusUser and a hardcoded password, set to never expire, on the compromised system using the Windows API NetUserAdd.
Privilege Escalation
2 techniquesFinally, ApolloShadow creates an administrative user with the username UpdatusUser and a hardcoded password, set to never expire, on the compromised system using the Windows API NetUserAdd. The malware now has persistent access to the infected host via the newly created local admin user.
This one displays to the victim as a user account control (UAC) pop-up window asking permission to bypass UAC safety mechanisms. If the user clicks "yes," the malware now has the highest-available privileges.
Stealth
1 techniqueThe malware then displays a user access control (UAC) pop-up window to prompt the user to install certificates with the file name CertificateDB.exe, which masquerades as a Kaspersky installer.
Defense Impairment
2 techniquesThe report found the group leveraging its ISP access to plant the custom "ApolloShadow" malware, which installs a trusted root certificate disguised as Kaspersky Antivirus (AV) onto targeted machines.
Credential Access
5 techniques"We assess this allows for TLS/SSL stripping from the Secret Blizzard AiTM position, rendering the majority of the target's browsing in clear text including the delivery of certain tokens and credentials," Microsoft wrote.
Intrusions linked to this politically motivated espionage campaign allow Secret Blizzard to view the majority of the target’s browsing in plain text, including certain tokens and credentials, researchers said in the report.
It’s a shift, or a kind of movement, toward the evolution of simply watching traffic to actively modifying network traffic in order to get into those targeted systems.
Microsoft said Secret Blizzard "used an adversary-in-the-middle (AiTM) position at the ISP/telco level to gain access to foreign embassies located in Moscow and deploy their custom ApolloShadow malware."
If the device isn't running on default admin settings, the user is presented with a pop-up window that tells them to download fake certificates, named CertificateDB[.]exe, which gives the attackers elevated privileges.
Discovery
1 techniqueCollection
2 techniquesSecret Blizzard is gaining initial access to embassy employee devices by redirecting them to a malicious domain that displays a certificate validation error after targeted victims access a state-aligned network through a captive portal, according to Microsoft.
Impact
2 techniquesUsing their AiTM position, the Russian spies can use DNS manipulation to redirect communications to a Secret Blizzard-controlled command-and-control server, and then send the second-stage payload to the victim's device.
In the new campaign, Kremlin spies redirect target devices by putting them behind a captive portal: a legitimate web page that manages network access like those a user would see when connecting to the internet at an airport or hotel.
Other
1 techniqueRecent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware/tool used in Secret Blizzard adversary-in-the-middle activity targeting diplomats.
Custom malware delivered in ISP-level adversary-in-the-middle attacks; capable of installing a trusted root certificate (per summary).
Custom cyberespionage malware used in ISP-level adversary-in-the-middle operations; installs a rogue trusted root certificate to intercept/manipulate encrypted web traffic, facilitates credential theft and persistent surveillance, attempts privilege escalation, creates a new admin user for backdoor access, and weakens network/browser security settings.
Malware deployed via adversary-in-the-middle attacks at the ISP level, used for intelligence collection from diplomats' devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.