Microsoft Threat Intelligence has identified a sophisticated new Russian-affiliated threat actor called Void Blizzard, also known as LAUNDRY BEAR, which has been conducting extensive cyber espionage operations since at least April 2024.
The group primarily targets organizations critical to Russian government objectives across government, defense, transportation, media, non-governmental organizations, and healthcare sectors, with a particular focus on NATO member states and Ukraine.
According to Microsoft's comprehensive analysis, Void Blizzard operates with remarkable scope and precision, disproportionately targeting countries that provide direct military or humanitarian support to Ukraine.
The threat actor's activities represent what Microsoft describes as "a heightened risk to NATO member states and allies to Ukraine in general," underscoring the strategic nature of their intelligence collection efforts.
The group's methodology combines opportunistic yet targeted high-volume cyber operations with increasingly sophisticated techniques. Initially, Void Blizzard relied heavily on stolen credentials likely purchased from commodity infostealer ecosystems, using these to gain access to Exchange and SharePoint Online environments for extensive data collection.
However, Microsoft observed a significant tactical evolution in April 2025 when the group began implementing targeted spear phishing campaigns using adversary-in-the-middle techniques.
In their most recent campaign, Void Blizzard demonstrated enhanced capabilities by spoofing the Microsoft Entra authentication portal through a typosquatted domain.
The attackers posed as organizers from the European Defense and Security Summit, sending carefully crafted emails with PDF attachments containing malicious QR codes. These codes redirected victims to credential phishing pages hosted on actor-controlled infrastructure designed to steal authentication data, including usernames, passwords, and session cookies.
Microsoft's research reveals that Void Blizzard utilizes the open-source Evilginx framework for their adversary-in-the-middle phishing operations.
Once inside target networks, the group systematically abuses legitimate cloud APIs to enumerate user mailboxes, shared mailboxes, and cloud-hosted files, often automating bulk collection of sensitive organizational data.
The threat actor's targeting overlaps significantly with other known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard, suggesting coordinated intelligence collection efforts directed by parent organizations within Russia's intelligence apparatus.
Notably, Void Blizzard successfully compromised a Ukrainian aviation organization in October 2024 that had previously been targeted by Russian military intelligence.
Microsoft collaborated with the Netherlands General Intelligence and Security Service, the Netherlands Defence Intelligence and Security Service, and the US Federal Bureau of Investigation in investigating this threat.
The company recommends organizations implement comprehensive identity hardening measures, including sign-in risk policies, multi-factor authentication with phishing-resistant methods, and centralized identity management platforms to defend against Void Blizzard's sophisticated but methodical approach to cyber espionage.