Analytics Story: Secret Blizzard
Description
Detects suspicious use of captive portal redirection chains abusing msftconnecttest.com/redirect, particularly during network sign-in events. Look for anomalous HTTP GET requests to domains mimicking certificate authorities (e.g., fake Digicert or Kaspersky-related hosts). Flag user execution of CertificateDB.exe, which may request elevated privileges and install unauthorized custom root certificates. Monitor for persistence tactics such as creation of hidden local admin accounts, modification of firewall or network profile settings, and DLL sideloading involving oci.dll or duser.dll. Additional indicators include encoded metadata in DNS queries, exfiltration over DNS, or encrypted communications to suspicious or newly registered domains, suggesting command-and-control activity. These behaviors may indicate adversary-in-the-middle (AiTM) interception by a capable, nation-state actor.
Why it matters
In early February 2025, Microsoft Threat Intelligence uncovered a sophisticated adversary-in-the-middle (AiTM) campaign by the Russian state-linked APT group Secret Blizzard (also known as Turla or Venomous Bear), targeting diplomatic entities operating in Moscow. The attackers hijacked Windows network connectivity checks to msftconnecttest.com/redirect by exploiting captive portal redirection techniques—likely through compromised or manipulated local ISP infrastructure. Victims were redirected to a fake network sign-in page prompting the download of CertificateDB.exe, disguised as a legitimate security application. Upon execution, the malware installed a rogue root certificate, adjusted firewall rules, created hidden local administrator accounts, and enabled TLS interception. Exfiltration occurred via DNS queries and encrypted traffic to attacker-controlled domains. This campaign marks a significant escalation in domestic ISP-level surveillance, enabling credential theft and encrypted traffic inspection against foreign diplomats—highlighting the evolving scope of nation-state cyber-espionage inside Russian borders.
Detections
| Name | Technique | Type |
|---|---|---|
| Windows Certutil Root Certificate Addition | Digital Certificates | Anomaly |
| Windows Set Private Network Profile via Registry | Modify Registry | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 13 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
Source: GitHub | Version: 1