ApolloShadow Malware by Blizzard Group Installs Root Certificates to Enable Malicious Sites

Microsoft Threat Intelligence has uncovered a sophisticated cyberespionage campaign by the Russian state actor Secret Blizzard, attributed to the Federal Security Service’s Center 16, targeting foreign embassies in Moscow using adversary-in-the-middle (AiTM) attacks to deploy custom ApolloShadow malware.

This campaign, ongoing since at least 2024, represents the first confirmed evidence of the group’s capability to conduct operations at the Internet Service Provider level within Russia, posing significant risks to diplomatic entities and sensitive organizations relying on local telecommunications infrastructure.

ISP-Level Infiltration and Initial Access

The attack leverages Secret Blizzard’s strategic position within Russia’s internet infrastructure, likely utilizing the country’s domestic intercept systems such as the System for Operative Investigative Activities (SORM).

The initial infection vector involves redirecting target devices through captive portals at the ISP level, exploiting the Windows Test Connectivity Status Indicator that typically sends HTTP requests to msftconnecttest.com.

When systems attempt this connectivity check, they are redirected to actor-controlled domains that display certificate validation errors, prompting users to download and execute the ApolloShadow malware.

The malware masquerades as a Kaspersky installer called CertificateDB.exe, using social engineering to trick users into granting elevated privileges through User Access Control prompts.

Once executed, ApolloShadow employs two distinct execution paths depending on the privilege level of the running process, determined by checking for TokenElevationTypeFulltype using the GetTokenInformationType API.

Technical Capabilities and System Manipulation

ApolloShadow’s most concerning capability is its installation of malicious root certificates into both the Windows certificate store and Firefox browsers, enabling the attackers to decrypt and monitor encrypted communications.

The malware uses certutil.exe commands to install certificates in the root and enterprise stores while adding a wincert.js preference file to Firefox directories to ensure browser compliance.

Beyond certificate manipulation, the malware systematically weakens network security by setting all network profiles to “Private” through registry modifications and COM objects, enabling network discovery and file sharing.

It also creates a persistent backdoor by establishing an administrative user account named “UpdatusUser” with a hardcoded password that never expires.

Microsoft recommends that organizations, particularly those operating in Moscow, implement encrypted tunnels to trusted networks or use satellite-based VPN providers whose infrastructure remains outside foreign control.

Additional protective measures include enforcing least privilege principles, enabling multifactor authentication, and deploying endpoint detection and response solutions in block mode.

This campaign demonstrates the evolving sophistication of state-sponsored cyber operations and highlights the critical importance of robust cybersecurity measures for diplomatic and sensitive organizational communications in high-risk environments.

Indicators of Compromises (IoCs):

Indicator	Type	Description
kav-certificates[.]info	Domain	Actor-controlled domain that downloads the malware
45.61.149[.]109	IP address	Actor-controlled IP address
13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20	SHA256	ApolloShadow malware
CertificateDB.exe	File name	File name associated with ApolloShadow sample

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post ApolloShadow Malware by Blizzard Group Installs Root Certificates to Enable Malicious Sites appeared first on Cyber Security News.