(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about void blizzard?
2. Are there any known overlaps or links between Void Blizzard and other APT groups targeting similar sectors, and what are the implications for attribution?
3. How do the TTPs of Void Blizzard compare in detail with those of APT28 and other Russian APTs to refine attribution and response?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

How effective are Void Blizzard’s adversary-in-the-middle (AitM) spear-phishing campaigns using typosquatted domains like micsrosoftonline[.]com compared to similar tactics employed by APT28 and APT29, and what advanced email security controls and user training methods can best mitigate these evolving phishing threats?
(Rationale: The April 2025 shift to AitM spear-phishing represents a significant escalation in sophistication, requiring prioritized defensive measures.)

TL;DR

Key Points

1. • Void Blizzard (aka Laundry Bear) is a newly identified Russian GRU-linked APT active since April 2024, specializing in credential theft, adversary-in-the-middle (AitM) phishing, and cloud API abuse.
   • Their operations target government, defense, NGOs, and critical infrastructure across NATO, the U.S., Ukraine allies, and Western Europe.
2. • The group’s TTPs include password spraying, session cookie theft (pass-the-cookie), AitM spear-phishing with typosquatted domains (e.g., micsrosoftonline[.]com), and extensive abuse of Microsoft Exchange Online and Graph APIs for stealthy data exfiltration.
   • They avoid custom malware, relying on living-off-the-land (LOTL) techniques, PowerShell, and tools like AzureHound for cloud environment enumeration.
3. • Notable breaches include the 2024 Dutch police compromise and spear-phishing campaigns against over 20 NGOs in Europe and the U.S. in April 2025.
   • Their methods bypass traditional MFA and endpoint detection, complicating defense and attribution.
4. • Immediate mitigations: enforce phishing-resistant MFA, enhance email and cloud security monitoring, audit mailbox and API activity, and deploy behavioral analytics for LOTL detection.
   • Prioritize detection of typosquatted domains, anomalous API calls, and session cookie theft.
5. • Forecasts indicate escalation of AitM phishing, increased cloud API abuse, and potential adoption of these TTPs by other Russian and non-Russian APTs.
   • Intelligence sharing and regulatory pressure on cloud/identity security are expected to intensify.

Executive Summary

Void Blizzard, a Russian state-sponsored APT attributed to the GRU and tracked as Laundry Bear by Dutch intelligence, has rapidly emerged as a major cyber espionage threat since April 2024. The group targets government, defense, telecommunications, NGOs, and critical infrastructure across NATO, the U.S., and Ukraine-aligned states, with a focus on credential theft and cloud-native attack vectors.

Their operations are characterized by initial access via password spraying, infostealer-derived credentials, and session cookie theft (pass-the-cookie). In 2024, they compromised Dutch police accounts, and by April 2025, shifted to highly targeted AitM spear-phishing using typosquatted domains and the Evilginx framework, successfully breaching over 20 NGOs. Void Blizzard extensively abuses Microsoft Exchange Online and Graph APIs for data exfiltration, leveraging AzureHound for cloud environment reconnaissance, and relies on living-off-the-land (LOTL) techniques and PowerShell to evade detection—eschewing custom malware entirely.

Comparative analysis shows Void Blizzard’s TTPs overlap with APT28, APT29, and Turla, but their focus on cloud API abuse and AitM phishing is distinct and increasingly sophisticated. Their campaigns bypass traditional MFA and endpoint defenses, making detection and response challenging.

Operational recommendations include enforcing phishing-resistant MFA (FIDO2, passkey), advanced email filtering for AitM/typosquatting, continuous cloud API monitoring, centralized identity management, and behavioral analytics for LOTL activity. Detection strategies should focus on anomalous API usage, session cookie theft, and PowerShell abuse, leveraging SIEM, EDR, and threat intelligence feeds.

Short-term forecasts predict intensification of AitM phishing and cloud API abuse, while long-term trends suggest proliferation of these TTPs among other APTs, increased regulatory focus on cloud/identity security, and the development of advanced detection solutions. Intelligence gaps remain regarding Void Blizzard’s full operational scope, especially in the U.S., underscoring the need for enhanced intelligence sharing and multinational defense coordination.

Research & Attribution

Historical Context

Void Blizzard, also known as Laundry Bear by Dutch intelligence agencies (AIVD and MIVD), is a newly identified Russian state-sponsored cyber espionage group active since at least April 2024. The group has conducted significant espionage campaigns targeting government, defense, telecommunications, healthcare, education, NGOs, media, and critical infrastructure sectors, primarily in NATO member states, Ukraine allies, Europe, and North America. Their operations include a notable 2024 campaign against the Dutch police, where they used stolen session cookies to access sensitive contact information. Void Blizzard's activities align with Russian strategic objectives, particularly in the context of the Russia-Ukraine conflict and NATO relations.

Timeline

• April 2024: Void Blizzard activity begins, primarily using password spraying and stolen credentials from infostealer malware ecosystems.
• September 2024: Successful compromise of Dutch police accounts via pass-the-cookie attack.
• October 2024: Compromise of Ukrainian aviation organization accounts previously targeted by other Russian APTs.
• April 2025: Shift to targeted spear-phishing campaigns using adversary-in-the-middle (AitM) techniques with typosquatted domains and Evilginx framework, targeting NGOs in Europe and the U.S.
• May 2025: Public disclosure of Void Blizzard's TTPs by Microsoft Threat Intelligence and Dutch intelligence agencies.

Origin

Void Blizzard is attributed to Russian state-sponsored cyber espionage operations, with strong links to Russian military intelligence (GRU). The group is distinct but shares operational overlaps with other Russian APTs such as APT28 (Fancy Bear), APT29 (Cozy Bear), and Turla, reflecting a coordinated Russian intelligence effort.

Countries Targeted

1. Netherlands – Targeted in a high-profile 2024 campaign against Dutch police.
2. United States – Targeted in espionage campaigns against government, defense, NGOs, and critical infrastructure.
3. Ukraine Allies – Targeting aligned with Russian geopolitical interests.
4. NATO Member States – Broad targeting of allied governments and organizations.
5. Other Western Countries – Including those hosting NGOs and critical infrastructure.

Sectors Targeted

1. Government – Espionage targeting government agencies and officials.
2. Defense and Aerospace – Targeting military and defense contractors.
3. Telecommunications – Accessing communications infrastructure.
4. Healthcare and Education – Targeting sensitive data and research.
5. NGOs and Media – Espionage and influence operations.

Motivation

Void Blizzard is motivated by Russian state-sponsored espionage objectives to collect intelligence supporting military, political, and strategic goals, especially related to the Russia-Ukraine conflict and NATO.

Attack Types

• Initial access via password spraying, stolen credentials, and session cookie theft (pass-the-cookie).
• Spear-phishing with adversary-in-the-middle (AitM) phishing traps using typosquatted domains (e.g., micsrosoftonline[.]com) and Evilginx.
• Abuse of legitimate Microsoft cloud APIs (Exchange Online, Microsoft Graph) for bulk data collection.
• Enumeration of Microsoft Entra ID configurations using AzureHound.
• Accessing Microsoft Teams conversations via web client.
• Use of living-off-the-land (LOTL) techniques with no custom malware.

Known Aliases

1. Void Blizzard (Microsoft)
2. Laundry Bear (Dutch Intelligence Services: AIVD and MIVD)

Links to Other APT Groups

Void Blizzard shares targeting overlaps and some TTP similarities with Russian APT groups such as APT28 (Fancy Bear), APT29 (Cozy Bear), and Turla (Venomous Bear). However, it is considered a distinct actor with a unique operational profile, particularly in its recent adoption of cloud API abuse and AitM phishing.

Similar Threat Actor Groups

• APT28 (Fancy Bear): Russian GRU-linked group known for espionage and influence operations targeting Western governments and critical infrastructure.
• APT29 (Cozy Bear): Russian intelligence group focused on espionage against government and diplomatic targets.
• Turla (Venomous Bear): Russian espionage group with sophisticated malware and long-term campaigns.

Breaches Involving This Threat Actor

• September 2024: Compromise of Dutch police accounts resulting in theft of work-related contact details.
• Multiple compromises of Ukrainian aviation and defense-related organizations.
• Targeting of over 20 NGOs in Europe and the U.S. via spear-phishing in April 2025.

Comparative Analysis of TTPs: Void Blizzard vs. APT28 and Other Russian APT Groups

Targeting Patterns Against the United States (Last Two Years)

• Void Blizzard has targeted U.S. government agencies, defense contractors, NGOs, and critical infrastructure sectors through credential theft and sophisticated spear-phishing campaigns.
• APT28 continues to target U.S. logistics, technology, and government sectors with phishing, malware, and zero-day exploits.
• Other Russian APT groups maintain persistent espionage campaigns against U.S. critical infrastructure and political entities.
• Specific incidents involving Void Blizzard in the U.S. include spear-phishing campaigns targeting NGOs and critical sectors, though detailed breach disclosures remain limited.
• Intelligence gaps exist regarding the full scope of Void Blizzard's U.S. operations; continuous monitoring and threat intelligence sharing are recommended.

Mitigation and Detection Recommendations for Operational Cybersecurity Teams

Top 3 Immediate Actions

1. Enforce Multi-Factor Authentication (MFA) and Sign-in Risk Policies

   • Implement conditional access policies that block or require MFA for risky sign-ins.
   • Prefer phishing-resistant MFA methods such as FIDO tokens or Microsoft Authenticator with passkey.
   • Avoid telephony-based MFA to mitigate SIM-jacking risks.

2. Enhance Email Security and Phishing Defenses

   • Deploy advanced email filtering to detect typosquatting domains and AitM phishing attempts.
   • Conduct targeted user training on spear-phishing and social engineering.
   • Implement DMARC, DKIM, and SPF to prevent email spoofing.

3. Monitor and Audit Cloud API Usage

   • Use cloud security posture management (CSPM) and Microsoft Defender for Cloud Apps to detect anomalous API calls.
   • Audit mailbox access and delegate permissions regularly.
   • Monitor for unusual Microsoft Teams web client activity.

Additional Mitigation Strategies

• Centralize identity management and log authentication data to SIEM for anomaly detection.
• Apply least privilege and credential hygiene principles, rotating credentials after suspected compromise.
• Use endpoint detection and response (EDR) with behavioral analytics to detect PowerShell and LOTL activity.
• Segment networks to limit lateral movement.

Detection Strategies with Examples

• Detect AitM phishing via monitoring for typosquatted domains like micsrosoftonline[.]com (T1557.001).
• Monitor for suspicious Exchange Web Services (EWS) and Outlook Web Access (OWA) activity (T1560).
• Use Microsoft Defender XDR hunting queries for password spray (T1110), anomalous sign-ins, and session cookie theft (T1539).
• Leverage Sigma rules and YARA signatures for detecting LOTL and PowerShell abuse (T1086).
• Correlate alerts across email, endpoint, and cloud environments for comprehensive visibility.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)