How to eliminate ApolloShadow malware from the operating system

What kind of malware is ApolloShadow?

ApolloShadow is the name of a malicious program that has been observed in cyber espionage campaigns. It is a custom-built malware used by a threat actor dubbed "Secret Blizzard". This group is believed to be a part of the FSB (Federal Security Service of the Russian Federation). Secret Blizzard has been linked with threat actors tracked as ATG26, Blue Python, Snake, Turla, Uroburos, VENOMOUS BEAR, Waterbug, and Wraith.

ApolloShadow malware has been used in ongoing campaigns that began at least in 2024. This activity targets diplomatic entities and other sensitive operations based in Moscow. It is not unlikely that ApolloShadow campaigns will expand.

ApolloShadow malware overview

ApolloShadow is a custom malware used by the Russian state-backed threat actor called "Secret Blizzard". Campaigns spreading this malware relied on the AiTM (Adversary-in-The-Middle) technique. AiTM is a method wherein the adversary places themself between two (or more) networks to facilitate following activity (such as delivering malware). This technique is not novel to Secret Blizzard, as this group has used similar tactics in older campaigns targeting Eastern European foreign ministries.

In the most recent ApolloShadow campaigns – which sought to compromise diplomatic entities, foreign embassies, and other high-sensitivity organizations in Moscow – the AiTM attack occurred at the ISP (Internet Service Provider) level.

To elaborate, the targeted device was placed behind a captive portal, and the Windows Test Connectivity Status Indicator service was run – yet instead of the browser opening the appropriate page, the victim was redirected to an attacker-controlled domain. As ApolloShadow's infection chain relies on the installation of a root certificate, it is highly likely that the opened website is intended to trick the user into installing it (e.g., by showing a certificate validation error). One of the known disguises for the root certificate was the Kaspersky Anti-Virus.

It is suspected that ApolloShadow infections allow for TLS/SSL stripping attacks – wherein browsers are forced to connect to websites by bypassing security measures like SSL encryption. In which case, the malware would be capable of accessing most of the victim's browsing activity, as well as certain tokens and credentials.

To expand upon how this campaign reaches the ISP level, the targeted entities used local Russian Internet/telecommunications services, and Secret Blizzard is a state-backed threat actor.

By downloading/installing the root certificate, the victim introduces ApolloShadow into the device. The malware begins its operations by collecting relevant device information, including network data and IP address.

This program seeks to gain admin privileges, and if the user account does not have them, the UAC (User Account Control) pop-up is displayed. This window asks the root certificate to be installed. In the observed attacks, the file-to-be-installed was named "CertificateDB.exe" and, as mentioned previously, was presented as the Kaspersky installation setup. The malware can display a pop-up claiming that certificates are being installed.

Upon successfully escalating the privileges, ApolloShadow enables the device to be discoverable on the network. It can also use one of two methods to weaken the firewall and allow file sharing. Chromium-based browsers accept ApolloShadow's certificate as trusted, while the malicious program has to modify preferences for the Mozilla Firefox browser to avoid certificate rejection.

Additionally, ApolloShadow creates a new admin user account (named "UpdatusUser" in the known infections) with an indefinite hardcoded password (without an expiration date) – and in this manner, the malware ensures persistent access.

ApolloShadow is used for cyber espionage, and the extent of the damage this malware can cause, especially since it can remain hidden for a significant amount of time, cannot be accurately quantified. Regardless, this malicious program poses serious threats, especially considering it is used in politically/geopolitically motivated attacks.

Examples of malware used in cyber espionage

We have written about thousands of malicious programs; Shadowpad, TONEINS, RomCom, and HyperBro are merely a few of our articles on ones that have been used in cyber espionage attacks.

Malware is a broad term that covers software that can have various malicious capabilities, ranging from data theft to file encryption for ransom demands.

Naturally, this software is widely used in attacks that have political and geopolitical motivations. However, the most prevalent reason is financial gain. Other motivations include process disruption (e.g., websites, services, companies, institutions, etc.), attackers seeking to amuse themselves or realize personal grudges, and hacktivism.

It must be emphasized that regardless of how malware operates or to what end it is used – the presence of this software on a system threatens device integrity and user safety. Therefore, all threats must be eliminated immediately upon detection.

How did ApolloShadow infiltrate my computer?

Entities of interest to the Secret Blizzard group that use local Russian ISP providers are incredibly vulnerable to the latest ApolloShadow campaign, which also combines social engineering tactics to facilitate the infection.

However, this malware could be spread using other techniques. Social engineering and phishing techniques are standard in malware proliferation.

In general, malicious software is distributed via backdoor/loader-type trojans, drive-by (stealthy/deceptive) downloads, untrustworthy download channels (e.g., unofficial and free file-hosting websites, Peer-to-Peer sharing networks, etc.), online scams, malicious attachments/links in spam (e.g., emails, PMs/DMs, social media posts, etc.), malvertising, illegal software activation tools ("cracks"), and fake updates.

Furthermore, some malicious programs can self-spread through local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.).

How to avoid installation of malware?

Due to the particular nature of ApolloShadow campaigns, the advice to lower the risks includes ensuring that network traffic is routed securely via an encrypted tunnel. The traffic has to be routed to a trustworthy network or VPN (Virtual Private Network) service that is not controlled or affiliated with potentially hostile third-parties.

Other general recommendations include researching software and downloading it only from official/verified sources. All programs must be activated and updated using legitimate functions/tools, as those obtained from third-parties can contain malware.

Additionally, we advise vigilance when browsing since the Internet is full of deceptive and malicious content. Incoming emails and other messages must be approached with care. Attachments or links present in suspicious/irrelevant mail must not be opened, as they can be virulent.

It is paramount to have a dependable antivirus installed and kept up-to-date. Security software must be used to run regular system scans and to remove detected threats. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Screenshot of the pop-up displayed by ApolloShadow during installation:

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is ApolloShadow?
• STEP 1. Manual removal of ApolloShadow malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with ApolloShadow malware, should I format my storage device to get rid of it?

Malware removal rarely requires such drastic measures.

What are the biggest issues that ApolloShadow malware can cause?

The dangers associated with an infection depend on a malicious program's abilities and the attackers' goals. ApolloShadow is a custom malware used by a Russian state-backed threat actor dubbed "Secret Blizzard". It has been utilized to target embassies and diplomatic entities based in Moscow. Cyber espionage attacks of this kind carry even more risks than those posed by high-risk malware, such as severe privacy issues, financial losses, and identity theft.

What is the purpose of ApolloShadow malware?

As mentioned above, ApolloShadow has been used for cyber espionage. However, politically and geopolitically motivated attacks are not the only type. Profit is the most common reason behind malware infections, but malicious software is also used for amusement, realization of personal vendettas, process disruption (e.g., sites, services, companies, etc.), and hacktivism.

How did ApolloShadow malware infiltrate my computer?

In the latest campaigns, ApolloShadow infiltration chain relied on the AiTM technique at the ISP level; thus, victims using local Russian ISPs were particularly vulnerable.

Generally, the most widely used malware proliferation methods include: drive-by downloads, trojans, spam mail, malvertising, online scams, dubious download channels (e.g., freeware and free file-hosting websites, Peer-to-Peer sharing networks, etc.), fake updaters, and illegal software activation ("cracking") tools. Some malicious programs can self-spread through local networks and removable storage devices.

Will Combo Cleaner protect me from malware?

Combo Cleaner is designed to scan systems and eliminate all manner of threats. It is capable of detecting and removing most of the known malware infections. Note that performing a complete system scan is essential since sophisticated malicious programs tend to hide deep within systems.