Cyberbytes Daily

Secret Blizzard Hackers Attack Windows Infrastructure Using Multiple Hacking Tools

Secret Blizzard Hackers Attack Windows Infrastructure Using Multiple Hacking Tools

In a recent joint report by Microsoft Threat Intelligence and Black Lotus Labs, new insights have emerged about “Secret Blizzard,” a sophisticated Russian nation-state cyber actor attacking windows infrastructure using a variety of hacking tools.

Known for its stealthy espionage operations, Secret Blizzard has been using the infrastructure and tools of at least six other threat actors over the past seven years to enhance its intelligence-gathering capabilities.

The U.S. Cybersecurity and Infrastructure Security Agency attributes Russia’s Federal Security Service (FSB) to Secret Blizzard, a unique method that leverages the tools and infrastructure of other state-sponsored and cybercriminal actors.

The primary target of this approach is state-level espionage, which includes ministries of foreign affairs, embassies, defense departments, and related organizations worldwide.

They not only conduct a wide range of operations but also aim to establish long-term access to valuable systems for gathering politically significant intelligence.

A significant revelation in the report is Secret Blizzard’s use of the infrastructure of a Pakistan-based espionage group known as Storm-0156, also known as SideCopy, Transparent Tribe, and APT36.

Targeted to facilitate operations in South Asia, this group primarily installs backdoors and collects intelligence.

Microsoft Threat Intelligence and Black Lotus Labs’ collaboration has confirmed that Storm-0156 infrastructure, which has staged data exfiltrated from campaigns in Afghanistan and India, originated the command-and-control traffic of Secret Blizzard.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Advanced Cyber Tools and Techniques

Since November 2022, Microsoft Threat Intelligence has observed Secret Blizzard compromising the infrastructure of Storm-0156, a Pakistan-based espionage group.

Secret Blizzard hijacked Storm-0156’s tools, such as CrimsonRAT and Arsenal, to deploy their own malware, including TwoDash, MiniPocket, and Statuezy, while mimicking Storm-0156’s operations through DLL-sideloading and similar filenames.

This access allowed Secret Blizzard to redirect C2 traffic to their own infrastructure and take over Storm-0156 backdoors like CrimsonRAT and Wainscot for further attacks.

  • Wainscot: A Golang-based backdoor active since October 2023, capable of executing commands, file transfer, and taking screenshots. While primarily targeting Windows, a Linux variant with expanded features has also been reported.
  • CrimsonRAT: A .NET-based backdoor with evolving capabilities, including system info gathering, process listing, file transfer, command execution, and keylogging via additional modules.
Secret Blizzard attack map

Secret Blizzard’s methodology involves deploying multiple backdoors, including the TinyTurla variant and a custom downloader known as TwoDash, to enhance their infiltration capabilities.

In addition, they employ a clipboard monitoring tool referred to as Statuezy, and other malware to bolster their espionage efforts.

  • Uploaded files and a distinct username of the uploader
  • Affected device information, including IP address, location, operating system version, and installed antivirus software
  • Network connection events, duration of the session, and timestamps like the disconnect and connect time

The report highlights Secret Blizzard’s significant impact on global cybersecurity. Through strategic positioning and backdoor deployment, this group has effectively broken into infrastructure in Afghanistan’s government, including the Ministry of Foreign Affairs and the General Directorate of Intelligence.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

The post Secret Blizzard Hackers Attack Windows Infrastructure Using Multiple Hacking Tools appeared first on Cyber Security News.

Tags

About Author

Chad Barr

Chad Barr is a visionary and executive leader, blending over two decades of expertise with a unique ability to demystify complex technical concepts. As a cybersecurity leader, prolific author, and director at AccessIT Group, Chad has empowered organizations across diverse industries to build resilient security frameworks. His engaging writing, speaking engagements, and thought leadership inspire proactive cybersecurity practices, making him a trusted voice in the ever-evolving digital landscape.

My Books

Cybersecurity News

  • Hackers Actively Exploited Ivanti VPN 0-Day Vulnerability (CVE-2025-0282): Technical Analysis
    by Balaji N on January 9, 2025 at 4:52 am

    Ivanti publicly disclosed two critical vulnerabilities CVE-2025-0282 and CVE-2025-0283 affecting its Connect Secure (ICS) VPN appliances. The announcement comes amidst alarming reports of active zero-day exploitation of CVE-2025-0282, identified by cybersecurity firm Mandiant as having begun in mid-December 2024. The exploitation has raised concerns about potential network breaches and downstream compromises for affected organizations. CVE-2025-0282, The post Hackers Actively Exploited Ivanti VPN 0-Day Vulnerability (CVE-2025-0282): Technical Analysis appeared first on Cyber Security News.

  • Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure
    by [email protected] (The Hacker News) on January 9, 2025 at 4:40 am

    Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2

  • Wireshark 4.4.3 Released – What’s New!
    by Guru Baran on January 9, 2025 at 2:51 am

    The Wireshark Foundation has announced the release of Wireshark 4.4.3, the latest version of the world’s most popular network protocol analyzer. This update brings a host of bug fixes and protocol support improvements, enhancing the tool’s capabilities for network troubleshooting, analysis, development, and education. What is Wireshark? Wireshark is a powerful, open-source network analysis tool The post Wireshark 4.4.3 Released – What’s New! appeared first on Cyber Security News.

  • Ivanti VPN Zero-Day Vulnerability Actively Exploited in the Wild
    by Guru Baran on January 9, 2025 at 2:27 am

    Ivanti has disclosed actively exploiting a critical zero-day vulnerability, CVE-2025-0282, in its Connect Secure VPN appliances. This vulnerability allows unauthenticated remote code execution and has already been exploited in a limited number of cases. A second vulnerability, CVE-2025-0283, which enables local privilege escalation, has also been identified but is not known to have been exploited. The post Ivanti VPN Zero-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.

  • India Readies Overhauled National Data Privacy Rules
    by Nate Nelson, Contributing Writer on January 9, 2025 at 2:00 am

    The country awaits implementation guidelines for a framework that gives Indians greater autonomy and security over their personal data — and recognizes a right to personal privacy.

Latest Posts

Categories

Tags

AI AWS ChatGPT Credit Card Fraud Cybercriminals Cyber News Cyber Security Cybersecurity News Data Breach Digital Transformation Gen AI IoT Nation-State Ransomware Security Skimmer Malware Starbucks