Secret Blizzard Group’s ApolloShadow Malware Install Root Certificates on Devices to Trust Malicious Sites

A sophisticated cyberespionage campaign targeting foreign embassies in Moscow has been uncovered, revealing the deployment of a custom malware strain designed to manipulate digital trust mechanisms.

The Russian state-sponsored threat group Secret Blizzard has been orchestrating an adversary-in-the-middle operation since at least 2024, utilizing their position within internet service provider infrastructure to deploy the ApolloShadow malware against diplomatic entities.

The campaign represents a significant escalation in state-sponsored cyber operations, particularly in its exploitation of internet infrastructure within Russian borders.

Secret Blizzard, which overlaps with threat actors known as VENOMOUS BEAR, Uroburos, Snake, and Turla, has demonstrated the capability to conduct large-scale interception operations at the ISP level.

This positioning allows the group to redirect target devices through captive portals, effectively creating a controlled environment for malware deployment.

ApolloShadow’s primary function centers on installing trusted root certificates that enable devices to trust malicious actor-controlled sites.

The malware masquerades as a Kaspersky Anti-Virus installer through a file named CertificateDB.exe, exploiting user trust in legitimate security software.

Microsoft analysts identified this deceptive approach as a critical component of the group’s persistence strategy, designed to maintain long-term access to diplomatic communications and intelligence.

Technical Infection Mechanism and Certificate Manipulation

The malware employs a sophisticated dual-execution pathway based on privilege levels detected through the Windows API GetTokenInformationType.

When operating with elevated privileges, ApolloShadow executes certificate installation commands using the Windows certutil utility.

The malware deploys two specific commands:-

certutil.exe -f -Enterprise -addstore root "C:Users\AppDataLocalTempcrt3C5C.tmp"
certutil.exe -f -Enterprise -addstore ca "C:Users\AppDataLocalTempcrt53FF.tmp"

These commands install malicious certificates into both the root and certificate authority stores, effectively compromising the device’s ability to distinguish between legitimate and attacker-controlled websites.

The malware further modifies Firefox browser preferences by creating a wincert.js file containing the preference modification pref("security.enterprise_roots.enabled", true); to ensure Firefox trusts the newly installed certificates.

To maintain persistence, ApolloShadow creates an administrative user account named “UpdatusUser” with a hardcoded password that never expires.

The malware also modifies network profiles to set all connections as private networks, relaxing firewall rules and enabling file sharing capabilities that could facilitate lateral movement within compromised environments.

The campaign poses significant risks to diplomatic entities operating in Moscow, particularly those relying on local telecommunications infrastructure.

Organizations are advised to route all traffic through encrypted tunnels to trusted networks or utilize satellite-based connection providers whose infrastructure remains outside potential adversary control.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches