{ "id": "77a87aa4-cdf7-4942-849d-4a898175da80", "created_at": "2026-04-06T00:19:05.048648Z", "updated_at": "2026-04-10T03:36:48.035545Z", "deleted_at": null, "sha1_hash": "c51758db09dab761d3c3c4fa32b3ac123fc1788a", "title": "Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2593759, "plain_text": "Frozen in transit: Secret Blizzard’s AiTM campaign against\r\ndiplomats | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-07-31 · Archived: 2026-04-05 17:43:24 UTC\r\nMicrosoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as\r\nSecret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM)\r\nposition to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root\r\ncertificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain\r\npersistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since\r\nat least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations\r\noperating in Moscow, particularly to those entities who rely on local internet providers.\r\nWhile we previously assessed with low confidence that the actor conducts cyberespionage activities within\r\nRussian borders against foreign and domestic entities, this is the first time we can confirm that they have the\r\ncapability to do so at the Internet Service Provider (ISP) level. This means that diplomatic personnel using local\r\nISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within\r\nthose services. In our previous blog, we reported the actor likely leverages Russia’s domestic intercept systems\r\nsuch as the System for Operative Investigative Activities (SORM), which we assess may be integral in facilitating\r\nthe actor’s current AiTM activity, judging from the large-scale nature of these operations.\r\nThis blog provides guidance on how organizations can protect against Secret Blizzard’s AiTM ApolloShadow\r\ncampaign, including forcing or routing all traffic through an encrypted tunnel to a trusted network or using an\r\nalternative provider—such as a satellite-based connection—hosted within a country that does not control or\r\ninfluence the provider’s infrastructure. The blog also provides additional information on network defense, such as\r\nrecommendations, indicators of compromise (IOCs), and detection details.\r\nSecret Blizzard is attributed by the United States Cybersecurity and Infrastructure Agency (CISA) as Russian\r\nFederal Security Service (Center 16). Secret Blizzard further overlaps with threat actors tracked by other security\r\nvendors by names such as VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and\r\nWaterbug.\r\nAs part of our continuous monitoring, analysis, and reporting of the threat landscape, we are sharing our\r\nobservations on Secret Blizzard’s latest activity to raise awareness of this actor’s tradecraft and educate\r\norganizations on how to harden their attack surface against this and similar activity. Although this activity poses a\r\nhigh risk to entities within Russia, the defense measures included in this blog are broadly applicable and can help\r\norganizations in any region reduce their risk from similar threats. Microsoft is also tracking other groups using\r\nsimilar techniques, including those documented by ESET in a previous publication.\r\nAiTM and ApolloShadow deployment\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 1 of 13\n\nIn February 2025, Microsoft Threat Intelligence observed Secret Blizzard conducting a cyberespionage campaign\r\nagainst foreign embassies located in Moscow, Russia, using an AiTM position to deploy the ApolloShadow\r\nmalware to maintain persistence and collect intelligence from diplomatic entities. An adversary-in-the-middle\r\ntechnique is when an adversary positions themself between two or more networks to support follow-on activity.\r\nThe Secret Blizzard AiTM position is likely facilitated by lawful intercept and notably includes the installation of\r\nroot certificates under the guise of Kaspersky Anti-Virus (AV). We assess this allows for TLS/SSL stripping from\r\nthe Secret Blizzard AiTM position, rendering the majority of the target’s browsing in clear text including the\r\ndelivery of certain tokens and credentials. Secret Blizzard has exhibited similar techniques in past cyberespionage\r\ncampaigns to infect foreign ministries in Eastern Europe by tricking users to download a trojanized Flash installer\r\nfrom an AiTM position.\r\nInitial access    \r\nIn this most recent campaign, the initial access mechanism used by Secret Blizzard is facilitated by an AiTM\r\nposition at the ISP/Telco level inside Russia, in which the actor redirects target devices by putting them behind a\r\ncaptive portal. Captive portals are legitimate web pages designed to manage network access, such as those\r\nencountered when connecting to the internet at a hotel or airport. Once behind a captive portal, the Windows Test\r\nConnectivity Status Indicator is initiated—a legitimate service that determines whether a device has internet\r\naccess by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect which should direct to\r\nmsn[.]com.  \r\nDelivery and installation\r\nOnce the system opens the browser window to this address, the system is redirected to a separate actor-controlled\r\ndomain that likely displays a certificate validation error which prompts the target to download and execute\r\nApolloShadow. Following execution, ApolloShadow checks for the privilege level of the ProcessToken and if the\r\ndevice is not running on default administrative settings, then the malware displays the user access control (UAC)\r\npop-up window to prompt the user to install certificates with the file name CertificateDB.exe, which masquerades\r\nas a Kaspersky installer to install root certificates and allow the actor to gain elevated privileges in the system.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 2 of 13\n\nFigure 1. Secret Blizzard AiTM infection chain\r\nApolloShadow malware\r\nApolloShadow uses two execution paths depending on the privilege level of the running process. The token of the\r\nrunning process is retrieved using the API GetTokenInformationType and the value of TokenInformation is\r\nchecked to see if the token contains the TokenElevationTypeFulltype. If it does not have that privilege level,\r\nApolloShadow executes a low privilege execution path.\r\nFigure 2. ApolloShadow execution flow\r\nLow privilege execution\r\nWhen executing the low privilege path, the first action is to collect information about the host to send back to the\r\nAiTM controlled command and control (C2). First, the host’s IP information is collected using the API\r\nGetIpAddrTable, which collects information from the IpAddrTable. Each entry is individually Base64-encoded\r\nand delineated by a pipe character with \\r\\n appended, then combined into one string. For example:\r\n172.29.162[.]128 00-15-5D-04-04-1C\r\n127.0.0[.]1\r\n\"|MTcyLjI5LjE2Mi4xMjggMDAtMTUtNUQtMDQtMDQtMUM=|\\r\\n|MTI3LjAuMC4xIA==|\\r\\n\"\r\n Then the entire string is Base64-encoded once again in preparation for exfiltration to the C2 host:\r\n\"fE1UY3lMakk1TGpFMk1pNHhNamdnTURBdE1UVXROVVF0TURRdE1EUXRNVU09fA0KfE1USTNMakF1TUM0eElBPT18DQo=\"\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 3 of 13\n\nThe encoded network information is added as a query string to a GET request with the destination URL\r\nhxxp://timestamp.digicert[.]com/registered. Two query parameters are included with the request, code and t.  The\r\nCode parameters contains a hardcoded set of characters and the t variable has the encoded IP address information,\r\nas shown below:\r\ncode=DQBBBBBBBBBOBBBBBBBBBBgBBBBBBBBBny_t???????\r\nt=fE1UY3lMakk1TGpFMk1pNHhNamdnTURBdE1UVXROVVF0TURRdE1EUXRNVU09fA0KfE1USTNMakF1TUM0eElBPT18DQo=\r\nWhile the timestamp subdomain does exist for Digicert, the /registered resource does not. Due to the AiTM\r\nposition of the actor, Secret Blizzard can use DNS manipulation to redirect legitimate-looking communication to\r\nthe actor-controlled C2 and return an encoded VBScript as the second-stage payload. \r\nWhen the response comes back from the redirected Digicert request, the file name that is used to write the script to\r\ndisk is decoded for use. ApolloShadow uses string obfuscation in several places throughout the binary to hide\r\ncritical strings. These strings are blocks of encoded characters that are encoded using XOR with a separate set of\r\nhardcoded constants. While this is not a particularly sophisticated technique, it is enough to obscure the strings\r\nfrom view at first glance. The strings are decoded as they are used and then re-encoded after use to remove traces\r\nof the strings from memory. \r\nFigure 2. String decoding operation for VB script name\r\nThe decoded file name is edgB4ACD.vbs and the file name string is concatenated by the malware with the results\r\nof querying the environment variable for the TEMP directory to create the path for the target script. We were\r\nunable to recover the script, but the header of the response is checked for the first 12 characters to see if it matches\r\nthe string MDERPWSAB64B. Once ApolloShadow has properly decoded the script, it executes the script using the\r\nWindows API call CreateProcessW with the command line to launch wscript and the path to edgB4ACD.vbs.\r\nFinally, the ApolloShadow process launches itself again using ShellExecuteA, which presents the user with an\r\nUAC window to bypass UAC mechanisms and prompt the user to grant the malware the highest privileges\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 4 of 13\n\navailable to the user.\r\n Figure 3. UAC popup to request elevated privileges from the user\r\nElevated privilege execution\r\nWhen the process is executed with sufficient elevated privileges, ApolloShadow alters the host by setting all\r\nnetworks to Private. This induces several changes including allowing the host device to become discoverable, and\r\nrelaxing firewall rules to enable file sharing. While we did not see any direct attempts for lateral movement, the\r\nmain reason for these modifications is likely to reduce the difficulty of lateral movement on the network.\r\nApolloShadow uses two different methods to perform this change.\r\nThe first method is through the registry settings for NetworkProfiles: SOFTWARE\\\\Microsoft\\\\Windows\r\nNT\\\\CurrentVersion\\\\NetworkList\\\\Profiles. The network’s globally unique identifiers (GUIDs) are parsed for each\r\nconnected network, and the malware modifies the value Category by setting it to 0. This change sets the profile of\r\nthe network to Private after the host has been rebooted.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 5 of 13\n\nFigure 4. Registry settings for network profiles\r\nThe second method directly sets firewall rules using Component Object Model (COM) objects that enable file\r\nsharing and turn on network discovery. Several strings are decoded using the same method as above and\r\nconcatenated to create the firewall rules they want to modify.\r\nFirewallAPI.dll,-32752\r\nThis command enables the Network Discovery rule group\r\nFirewallAPI.dll,-28502\r\nThis command enables all rules in the File and Printer Sharing group\r\nThe strings are passed to the COM objects to enable the rules if they are not already enabled.\r\nFigure 5. COM objects used to modify firewall rules\r\nBoth techniques have some crossover, but the following table provides a comparison overview of each method.\r\nTechnique Purpose Timing Stealth Effect\r\nRegistry profile\r\nchange\r\nSets network\r\nto Private\r\nRequires\r\nreboot\r\nHigh\r\nBroadly relaxes firewall\r\nposture\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 6 of 13\n\nCOM-based rule\r\nenablement\r\nActivates\r\nspecific rules\r\nImmediate Moderate\r\nOpens precise ports for\r\ndiscovery and sharing\r\nFrom here, ApolloShadow presents the user with a window showing that the certificates are being installed.  \r\nFigure 6. Window displayed to the user during execution\r\nA new thread performs the remainder of the functionality. The two root certificates being installed are written to\r\nthe %TEMP% directory with a temporary name and the extension crt. The certificate installation is performed by\r\nusing the Windows certutil utility and the temporary files are deleted following the execution of the commands.\r\ncertutil.exe -f -Enterprise -addstore root \"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\crt3C5C.tmp\"\r\ncertutil.exe -f -Enterprise -addstore ca \"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\crt53FF.tmp\"\r\nThe malware must add a preference file to the Firefox preference directory because Firefox uses different\r\ncertificate stores than browsers such as Chromium, which results in Firefox not trusting the root and enterprise\r\nstore by default. ApolloShadow reads the registry key that points to the installation of the application and builds a\r\npath to the preference directory from there. A file is written to disk called wincert.js containing a preference\r\nmodification for Firefox browsers, allowing Firefox to trust the root certificates added to the operating system’s\r\ncertificate store. \r\npref(\"security.enterprise_roots.enabled\", true);\" privilege\r\nThe final step is to create an administrative user with the username UpdatusUser and a hardcoded password on the\r\ninfected system using the Windows API NetUserAdd. The password is also set to never expire.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 7 of 13\n\nFigure 7. Administrator user added to infected system\r\nApolloShadow has successfully installed itself on the infected host and has persistent access using the new local\r\nadministrator user.\r\nDefending against Secret Blizzard activity\r\nMicrosoft recommends that all customers, but especially sensitive organizations operating in Moscow, should\r\nimplement the following recommendations to mitigate against Secret Blizzard activity.\r\nRoute all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN)\r\nservice provider, such as a satellite-based provider, whose infrastructure is not controlled or influenced by\r\noutside parties.\r\nMicrosoft also recommends the following guidance to enhance protection and mitigate potential threats:\r\nPractice the principle of least privilege, use multifactor authentication (MFA), and audit privileged account\r\nactivity in your environments to slow and stop attackers. Avoid the use of domain-wide, admin-level\r\nservice accounts and restrict local administrative privileges. These mitigation steps reduce the paths that\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 8 of 13\n\nattackers have available to them to accomplish their goals and lower the risk of the compromise spreading\r\nin your environment.\r\nRegularly review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise\r\nAdmins. Threat actors may add accounts to these groups to maintain persistence and disguise their activity.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques.\r\nRun endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block\r\nmalicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft\r\nDefender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate\r\nmalicious artifacts detected post-breach. \r\nTurn on attack surface reduction rules to prevent common attack techniques. These rules, which can be\r\nconfigured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer\r\nsignificant hardening against common attack vectors.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock execution of potentially obfuscated scripts\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide\r\nintegrated protection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects this threat as the following malware:\r\nTrojan:Win64/ApolloShadow\r\nMicrosoft Defender for Endpoint\r\nThe following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also\r\ntriggered by unrelated threat activity.\r\nSecret Blizzard Actor activity detected\r\nSuspicious root certificate installation\r\nSuspicious certutil activity\r\nUser account created under suspicious circumstances\r\nA script with suspicious content was observed\r\nMicrosoft Security Copilot\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 9 of 13\n\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following\r\npre-built promptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nThreat Intelligence 360 report based on MDTI article\r\nVulnerability impact assessment\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or\r\nMicrosoft Sentinel.\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated\r\nthreats found in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nActor profile: Secret Blizzard\r\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft\r\nDefender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the\r\nMicrosoft Defender portal to get more information about this threat actor.\r\nHunting queries\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nSurface devices that attempt to download a file within two minutes after captive portal redirection. This activity\r\nmay indicate a first stage AiTM attack—such as the one utilized by Secret Blizzard—against a device.\r\nlet CaptiveRedirectEvents = DeviceNetworkEvents\r\n| where RemoteUrl contains \"msftconnecttest.com/redirect\"\r\n| project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl;\r\nlet FileDownloadEvents = DeviceFileEvents\r\n| where ActionType == \"FileDownloaded\"\r\n| project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 10 of 13\n\n| join kind=inner (FileDownloadEvents) on DeviceId\r\n| where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m))\r\n| project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nBelow are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats\r\nacross both Microsoft first party and third-party data sources. ASIM also supports deploying parsers to specific\r\nworkspaces from GitHub, using an ARM template or manually.\r\nDetect network IP and domain indicators of compromise using ASIM\r\nThe below query checks IP addresses and domain indicators of compromise (IOCs) across data sources supported\r\nby ASIM Network session parser.\r\n//IP list and domain list- _Im_NetworkSession\r\nlet lookback = 30d;\r\nlet ioc_ip_addr = dynamic([\"45.61.149.109\"]);\r\nlet ioc_domains = dynamic([\"kav-certificates.info\"]);\r\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\r\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\r\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\r\nEventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\r\nDetect network and files hashes indicators of compromise using ASIM\r\nThe below queries will check IP addresses and file hash IOCs across data sources supported by ASIM Web session\r\nparser.\r\nDetect network indicators of compromise and domains using ASIM\r\n//IP list - _Im_WebSession\r\nlet lookback = 30d;\r\nlet ioc_ip_addr = dynamic([\"45.61.149.109\"]);\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 11 of 13\n\nlet ioc_sha_hashes =dynamic([\"13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20\"]);\r\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\r\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\r\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\r\nEventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\r\n// Domain list - _Im_WebSession\r\nlet ioc_domains = dynamic([\"kav-certificates.info\"]);\r\n_Im_WebSession (url_has_any = ioc_domains)\r\nDetect files hashes indicators of compromise using ASIM\r\nThe below query will check IP addresses and file hash IOCs across data sources supported by ASIM FileEvent\r\nparser.\r\nDetect network and files hashes indicators of compromise using ASIM\r\n// file hash list - imFileEvent\r\nlet ioc_sha_hashes =dynamic([\"13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20\"]);\r\nimFileEvent\r\n| where SrcFileSHA256 in (ioc_sha_hashes) or\r\nTargetFileSHA256 in (ioc_sha_hashes)\r\n| extend AccountName = tostring(split(User, @'')[1]),\r\nAccountNTDomain = tostring(split(User, @'')[0])\r\n| extend AlgorithmType = \"SHA256\"\r\nIndicators of compromise\r\nIndicator Type Description\r\nkav-certificates[.]info Domain\r\nActor-controlled\r\ndomain that\r\ndownloads the\r\nmalware\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 12 of 13\n\n45.61.149[.]109\r\nIP\r\naddress\r\nActor-controlled IP\r\naddress\r\n13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 SHA256\r\nApolloShadow\r\nmalware\r\ne94c00fde5bf749ae6db980eff492859d22cacb4bc941ad4ad047dca26fd5616 SHA256\r\nApolloShadow\r\nmalware\r\nCertificateDB.exe\r\nFile\r\nname\r\nFile name\r\nassociated\r\nwith\r\nApolloShadow\r\nsample\r\nReferences\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a\r\nhttps://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/\r\nhttps://attack.mitre.org/techniques/T1557/\r\nhttps://web-assets.esetstatic.com/wls/2018/01/ESET_Turla_Mosquito.pdf\r\nAcknowledgments\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nLearn more\r\nMeet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response\r\nCenter at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen\r\nresilience and elevate your security posture.\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X\r\n(formerly Twitter), and Bluesky.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast.  \r\nSource: https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/" ], "report_names": [ "frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434745, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c51758db09dab761d3c3c4fa32b3ac123fc1788a.pdf", "text": "https://archive.orkl.eu/c51758db09dab761d3c3c4fa32b3ac123fc1788a.txt", "img": "https://archive.orkl.eu/c51758db09dab761d3c3c4fa32b3ac123fc1788a.jpg" } }