The Russian hacking group *Secret Blizzard*, affiliated with the FSB, is conducting a large-scale espionage campaign against embassies in Moscow. They use the AiTM (adversary-in-the-middle) technique, introducing the *ApolloShadow* malware through local Internet service providers. For the first time, it has been officially confirmed that the attacks are carried out at the ISP level, and not just on individual devices. Even the Internet connection in a hotel can become a point of infection.

Microsoft has discovered that the attack is implemented by *hijacking the connection* between the victim’s device and the Internet. After that, the user sees a captive portal, similar to those that appear in airports or hotels. The device then automatically accesses a URL, for example, msftconnecttest.com, and instead of the expected page, the user is redirected to a fake site, from where he unsuspectingly downloads the ApolloShadow Trojan.
ApolloShadow checks the user’s privilege level and, if necessary, brings up a UAC system window, convincing them to install *”Kaspersky update”*. In fact, it is a tool for installing trusted root certificates that allow the attacker to read encrypted traffic.
*Secret Blizzard* is a group also known as Turla, Snake, Venomous Bear, and others. This is the first time Microsoft has officially confirmed that the attacks are carried out at the level of telecommunications infrastructure, and not simply through phishing or local infection. They have previously used similar methods in Eastern Europe, in particular through trojanized Flash Player installers.
In the case of ApolloShadow, after infection, the device:
changes all networks to *Private* status,
weakens firewall rules,
adds an administrative user named *UpdatusUser*,
and even imports certificates into Firefox by passing browser restrictions.
Secret Blizzard is now not just spying on emails or infected files – they control the very infrastructure used by diplomats in Russia. Any connection to a local ISP is a potential access point for an attack.
Microsoft advises:
Always use a VPN through a proven infrastructure, preferably not Russian;
Avoid local Wi-Fi, especially in hotels, cafeterias and even embassies;
Systematically restrict user privileges, enable MFA, do not use administrator accounts unnecessarily;