TZUTC: -0500   
   MSGID: 1316.consprcy@1:2320/105 2cf1ecdb   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Microsoft says Russian hackers are planting fake antivirus software in    
   embassy attacks   
      
   Date:   
   Fri, 01 Aug 2025 10:28:44 +0000   
      
   Description:   
   The hackers are using custom malware to target foreign governments.   
      
   FULL STORY   
      
   Foreign embassies in Moscow are being targeted by Russian state hackers, who   
   are using custom malware tracked as ApolloShadow, disguised as Kaspersky   
   antivirus software , new reports have claimed.    
      
   The attacks have the end goal of installing a TLS root certificate which   
   allows the threat actor to cryptographically impersonate trusted websites   
   visited by the infected system inside the embassy, Microsoft Threat   
   Intelligence reports.    
      
   This campaign, which has been ongoing since at least 2024, poses a high risk   
   to foreign embassies, diplomatic entities, and other sensitive organizations   
   operating in Moscow, particularly to those entities who rely on local    
   internet providers," the experts noted.   
      
   Secret Blizzard    
      
   This cyber espionage campaign targeting diplomats and embassies uses what's   
   known as an adversary-in-the-middle (AiTM) attack, which occurs when hackers   
   intercept and alter communications between two parties without their   
   knowledge.    
      
   These frequently leverage other attack vectors like social engineering emails   
   or messages to create conditions in which an attacker can intercept and   
   manipulate the communications between users and the legitimate services they   
   use, then stealing credentials and authenticated access tokens.    
      
   The notorious threat actor, Secret Blizzard, has previously been observed   
   hacking Ukrainian military tech by stealing points of entry from    
   third-parties . The group is one of the most sophisticated and most prolific   
   state-sponsored threat actors in the world.    
      
   Microsoft previously assessed with low confidence that Secret Blizzard was   
   conducting cyberespionage within Russian borders against its adversaries, but   
   the company now confirms that they have the capability to carry these out on   
   the Internet Service Provider (ISP) level.    
      
   This means diplomats using local ISP or telecommunications within Russia are   
   highly likely targets of Secret Blizzards AiTM position within those    
   services.    
      
   In our previous blog, we reported the actor likely leverages Russias domestic   
   intercept systems such as the System for Operative Investigative Activities   
   (SORM), which we assess may be integral in facilitating the actors current   
   AiTM activity, judging from the large-scale nature of these operations,   
   Microsoft confirmed.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/microsoft-says-russian-hackers-are-plan   
   ting-fake-antivirus-software-in-embassy-attacks   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426