Executive Summary

Void Blizzard is identified as a Russia-affiliated threat actor engaged in cyberespionage operations, primarily targeting sectors crucial to Russian governmental objectives. These sectors include government, defense, transportation, media, NGOs, and healthcare, with a focus on Europe and North America. Their operations have been active since at least April 2024, with notable increases in activity observed in 2025. Void Blizzard, also known as LAUNDRY BEAR, uses techniques such as spear phishing and credential theft to infiltrate organizations and exfiltrate sensitive data.

Targeting and Operations

Targeted Sectors:

• Government and Defense: NATO member states, Ukraine, and countries providing support to Ukraine.
• Critical Infrastructure: Communications, transportation, and healthcare.
• Other Sectors: Media, NGOs, education, and IT services.

Exploitation Techniques:

• Use of stolen credentials from infostealer ecosystems.
• Spear phishing campaigns using typosquatted domains to spoof authentication portals.
• Adversary-in-the-middle (AitM) tactics using tools like Evilginx.

Notable Campaigns:

• In April 2025, Void Blizzard launched a spear phishing campaign targeting over 20 NGOs using a typosquatted domain to mimic Microsoft Entra authentication.

Tools, Tactics, and Procedures (TTPs)

Initial Access:

• Password Spraying: Attempting multiple usernames against a single password.
• Stolen Credentials: Obtained from criminal marketplaces.
• Phishing: Use of malicious QR codes and spoofed domains.

Post-Compromise Activities:

• Cloud Service Abuse: Leveraging legitimate cloud APIs for data enumeration and exfiltration.
• Data Collection: Automation of email and file collection from cloud services like Exchange Online and SharePoint.
• Use of Tools: AzureHound for Microsoft Entra ID enumeration.

Indicators of Compromise (IOCs)

• Domains:
• micsrosoftonline[.]com
• ebsumrnit[.]eu

• outlook-office[.]micsrosoftonline[.]com

• Malware:

• SHA-256: 06a5bd9cb3038e3eec1c68cb34fc3f64933dba2983e39a0b1125af8af32c8ddb (malicious email attachment)

Mitigation Strategies

• Identity and Authentication:
• Implement risk-based Conditional Access policies.
• Enforce multifactor authentication (MFA).

• Use phishing-resistant authentication methods such as FIDO Tokens.

• Email Security:

• Ensure mailbox auditing is enabled.

• Conduct regular non-owner mailbox access reports.

• Post-Compromise Activity:

• Rotate credentials suspected of being compromised.
• Monitor anomalous activity via Microsoft Graph API and Defender for Cloud Apps.

References and Further Reading

• Microsoft Security Blog: Void Blizzard Report

• Microsoft Threat Intelligence: Threat Intelligence Blog

• Collaboration Acknowledgments: Netherlands General Intelligence and Security Service (AIVD), Netherlands Defence Intelligence and Security Service (MIVD), US Federal Bureau of Investigation.

This report provides an overview of the ongoing cyber threat posed by Void Blizzard, emphasizing the need for robust security measures and vigilance against espionage activities targeting critical sectors.

Rescana is here for you

At Rescana, we recognize the critical importance of safeguarding your organization against sophisticated cyber threats like Void Blizzard. Our Third Party Risk Management (TPRM) platform is designed to help you assess and manage the cybersecurity risks posed by your third-party vendors and partners. By providing a comprehensive view of your supply chain's security posture, we empower you to make informed decisions and enhance your organization's resilience against cyber threats. Should you have any questions regarding this report or require assistance with any cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are committed to supporting you in your cybersecurity endeavors.