TZUTC: -0500
MSGID: 1316.consprcy@1:2320/105 2cf1ecdb
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Microsoft says Russian hackers are planting fake antivirus software in 
embassy attacks

Date:
Fri, 01 Aug 2025 10:28:44 +0000

Description:
The hackers are using custom malware to target foreign governments.

FULL STORY

Foreign embassies in Moscow are being targeted by Russian state hackers, who
are using custom malware tracked as ApolloShadow, disguised as Kaspersky
antivirus software , new reports have claimed. 

The attacks have the end goal of installing a TLS root certificate which
allows the threat actor to cryptographically impersonate trusted websites
visited by the infected system inside the embassy, Microsoft Threat
Intelligence reports. 

This campaign, which has been ongoing since at least 2024, poses a high risk
to foreign embassies, diplomatic entities, and other sensitive organizations
operating in Moscow, particularly to those entities who rely on local 
internet providers," the experts noted.

Secret Blizzard 

This cyber espionage campaign targeting diplomats and embassies uses what's
known as an adversary-in-the-middle (AiTM) attack, which occurs when hackers
intercept and alter communications between two parties without their
knowledge. 

These frequently leverage other attack vectors like social engineering emails
or messages to create conditions in which an attacker can intercept and
manipulate the communications between users and the legitimate services they
use, then stealing credentials and authenticated access tokens. 

The notorious threat actor, Secret Blizzard, has previously been observed
hacking Ukrainian military tech by stealing points of entry from 
third-parties . The group is one of the most sophisticated and most prolific
state-sponsored threat actors in the world. 

Microsoft previously assessed with low confidence that Secret Blizzard was
conducting cyberespionage within Russian borders against its adversaries, but
the company now confirms that they have the capability to carry these out on
the Internet Service Provider (ISP) level. 

This means diplomats using local ISP or telecommunications within Russia are
highly likely targets of Secret Blizzards AiTM position within those 
services. 

In our previous blog, we reported the actor likely leverages Russias domestic
intercept systems such as the System for Operative Investigative Activities
(SORM), which we assess may be integral in facilitating the actors current
AiTM activity, judging from the large-scale nature of these operations,
Microsoft confirmed.

======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsoft-says-russian-hackers-are-plan
ting-fake-antivirus-software-in-embassy-attacks

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426