216.73.217.139

Frozen in transit: Secret Blizzard's AiTM campaign against diplomats

· Published 08/08/2025 16:36 · Modified 10/08/2025 20:45

Export JSON

Essential information

Published
08/08/2025 16:36
Modified
10/08/2025 20:45
Tags
2025-08-01 2025-08-08 aitm apolloshadow cyberespionage diplomats embassies isp root certificates russia
Related entities
2 observables, 1 intrusion sets (apt), 2 techniques (mitre), 1 others

Description

Secret Blizzard, a Russian state actor, has been conducting a campaign targeting in Moscow using an adversary-in-the-middle () position to deploy malware. This campaign, ongoing since 2024, poses a high risk to diplomatic entities relying on local internet providers in . The actor leverages an position at the level to redirect target devices through a captive portal, installing under the guise of Kaspersky Anti-Virus. has the capability to maintain persistence on diplomatic devices for intelligence collection. The malware alters host settings, installs certificates, and creates an administrative user for persistent access. Microsoft recommends routing all traffic through encrypted tunnels or using satellite-based providers to mitigate this threat.

External references