Ddos 
Microsoft Threat Intelligence has identified a cyberespionage campaign by a newly recognized Russia-affiliated actor named Void Blizzard, also tracked as LAUNDRY BEAR. Since at least April 2024, the group has been targeting organizations in sectors critical to Russian strategic interests—primarily across NATO countries and Ukraine—with a focus on intelligence collection.
Void Blizzard is believed to be aligned with Russian state interests. While not as advanced in tactics as other known APTs like Midnight Blizzard or Forest Blizzard, the group is highly effective. Their targets span multiple industries:
- Government and defense
- NGOs and intergovernmental organizations
- Media and education
- Healthcare and IT
- Transportation and telecommunications
The group’s operational focus and victim profiles suggest intentional alignment with broader Russian geopolitical objectives, including intelligence gathering in support of the war in Ukraine.
“Void Blizzard’s cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives,” the report states.
Historically, Void Blizzard has used stolen credentials, likely purchased from criminal marketplaces, to breach Microsoft Exchange and SharePoint environments. However, recent activity reveals a shift toward more direct and sophisticated methods.
In April 2025, Microsoft observed Void Blizzard launching a spear phishing campaign targeting over 20 NGOs in Europe and the U.S. The attackers used typosquatted domains, like micsrosoftonline[.]com, to spoof Microsoft Entra login pages and steal credentials.
“Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors.”
These phishing emails impersonated the European Defense and Security Summit, included a malicious QR code, and used the Evilginx AitM (adversary-in-the-middle) framework to harvest usernames, passwords, and authentication cookies.
Once inside a system, Void Blizzard leverages Microsoft 365 cloud APIs, such as Exchange Online and Microsoft Graph, to silently enumerate mailboxes, download documents, and scrape files across shared folders.
“Void Blizzard abuses legitimate cloud APIs… to enumerate users’ mailboxes, including any shared mailboxes, and cloud-hosted files.”
They also exploit Microsoft Teams web clients to read private conversations and use tools like AzureHound to map an organization’s internal Entra ID structure, including roles, apps, and device inventories.
This data is likely exfiltrated in bulk and could be used for intelligence operations, future targeting, or disinformation efforts.
Void Blizzard’s activities often intersect with operations attributed to other well-known Russian groups:
- Forest Blizzard (STRONTIUM/APT28)
- Midnight Blizzard (NOBELIUM/UNC2452)
- Secret Blizzard
In October 2024, Void Blizzard compromised user accounts at a Ukrainian aviation organization previously hit by Seashell Blizzard (GRU), suggesting shared targeting priorities among affiliated threat groups.
“This targeting overlap reflects Russia’s long-standing interest in this organization and, more broadly, in aviation-related organizations since Russia’s invasion of Ukraine in 2022.”
Related Posts:
- Void Manticore: Iranian State-Sponsored Cyber Warfare Exposed
- Mandiant Unveils Russian Cyber Espionage in Ukraine’s Grid Disruption
- NATO member diplomatic office in Kiev has been attacked by hackers
- Blizzard Games exisits critical flaw that conduct DNS Rebinding attack
- Russian APT “Secret Blizzard” Leverages Cybercriminal Tools in Ukraine Attacks
- Star Blizzard Shifts Tactics: Spear-Phishing Campaign Targets WhatsApp Accounts
Donate