Blizzard Group’s ApolloShadow Malware Installs Root Certificates to Trust Malicious Sites

Microsoft Threat Intelligence has exposed a sophisticated cyberespionage operation orchestrated by the Russian state-sponsored actor tracked as Secret Blizzard, which has been actively compromising foreign embassies in Moscow through an adversary-in-the-middle (AiTM) technique to deploy the custom ApolloShadow malware.

This campaign, ongoing since at least 2024, leverages an AiTM position at the Internet Service Provider (ISP) level to install trusted root certificates on victim devices, effectively tricking them into authenticating malicious actor-controlled domains.

This enables persistent access for intelligence gathering, posing a severe threat to diplomatic entities and sensitive organizations reliant on local Russian telecommunications infrastructure.

Previously assessed with low confidence for domestic espionage, this marks the first high-confidence confirmation of Secret Blizzard’s ISP-level capabilities, potentially facilitated by Russia’s System for Operative Investigative Activities (SORM), allowing large-scale traffic interception and manipulation.

Secret Blizzard’s Cyberespionage Campaign

The operation’s initial access exploits captive ...