A newly identified threat actor, Void Blizzard, is emerging as a major player in Russian-linked cyberespionage, according to a detailed report by Microsoft Threat Intelligence.
Active since at least April 2024, Void Blizzard is now on the radar of global security agencies for its highly targeted campaigns against government, defense, healthcare, and media organizations, primarily in NATO member states and Ukraine.
Backed by evidence and collaboration from the Netherlands’ General and Defence Intelligence and Security Services (AIVD and MIVD), as well as the FBI, the report describes Void Blizzard (also known as LAUNDRY BEAR) as a determined and opportunistic actor, capable of causing widespread disruption despite relying on relatively unsophisticated techniques.
Who is Void Blizzard?
Void Blizzard is assessed with high confidence to be affiliated with Russia. Its operations have a clear geopolitical alignment, targeting entities whose intelligence would support Russian strategic objectives. That includes law enforcement and military agencies in countries providing military or humanitarian aid to Ukraine.
While it shares similarities with other Kremlin-linked groups (such as Forest Blizzard, Midnight Blizzard, and Secret Blizzard) Void Blizzard’s recent tactics show an escalation in scope and ambition.
Microsoft’s latest findings suggest that Void Blizzard’s efforts are no longer limited to using stolen credentials from underground markets. In April 2025, the group pivoted to direct spear phishing campaigns, masquerading as legitimate communications to steal passwords and multifactor authentication (MFA) tokens.
A Closer Look at the Tactics
Void Blizzard’s typical playbook begins with either password spraying or credential stuffing, often leveraging infostealer-derived credentials bought from cybercrime marketplaces. Once they’ve breached an organization, their focus shifts to large-scale exfiltration of emails, files, and even Microsoft Teams conversations via cloud APIs such as Microsoft Graph and Exchange Online.
In one recent campaign, the group spoofed the Microsoft Entra login page using a typosquatted domain (micsrosoftonline[.]com) to steal credentials. The phishing emails were disguised as invites to a fake “European Defense and Security Summit” and included PDFs containing malicious QR codes. Microsoft has attributed this activity to Void Blizzard’s use of Evilginx, an open-source adversary-in-the-middle (AitM) framework that intercepts login credentials and session cookies.
Even with basic techniques, the actor has had repeated success. In October 2024, Void Blizzard compromised accounts at a Ukrainian aviation organization, an entity previously targeted by GRU-linked Seashell Blizzard and Forest Blizzard, demonstrating Russia’s long-term interest in the aviation sector.
Why It Matters
Void Blizzard’s persistent targeting of critical infrastructure is a wake-up call. Their campaigns, although technically rudimentary, are succeeding because many organizations still rely on outdated identity and access management controls. Once inside, they move fast, abusing legitimate cloud services to blend in and avoid detection while extracting valuable intelligence.
These operations aren’t just about surveillance. The theft of sensitive information from defense contractors, health providers, and telecommunications networks could be used to disrupt systems, exploit geopolitical tensions, or influence democratic processes.
Practical Steps for At-Risk Organizations
Microsoft’s report doesn’t just outline the threat; it offers concrete guidance for organizations, especially those in high-risk sectors like government, defense, and healthcare.
Identity Hardening
- Apply sign-in risk policies via Conditional Access to block suspicious login attempts or require MFA.
- Enforce phishing-resistant MFA options like FIDO2 tokens or Microsoft Authenticator with passkeys. Avoid SMS-based MFA, which remains vulnerable to SIM-jacking.
- Centralize identity platforms to ensure comprehensive monitoring, ideally through Microsoft Entra ID with SIEM integration.
- Enforce the principle of least privilege and audit privileged account activity regularly.
Email and Post-Compromise Protections
- Enable mailbox auditing by default and routinely check non-owner mailbox access reports.
- Rotate credentials immediately if a device is suspected to have been infected with an infostealer.
- Monitor cloud API activity using tools like Microsoft Graph audit logs and Defender for Cloud Apps anomaly detection.
Detection Signals to Watch
Organizations using Microsoft Defender XDR can watch for specific alerts related to Void Blizzard’s activity:
- Microsoft Defender for Endpoint: Look for alerts on information-stealing malware or password spraying.
- Microsoft Defender for Identity: Key signals include impossible travel, unfamiliar sign-ins, and suspicious behavior.
- Microsoft Defender for Cloud Apps: Alerts for activity from suspicious IPs or unusual user behavior can indicate compromise.
Security teams should also leverage Microsoft Security Copilot to accelerate threat hunting, triage alerts, and coordinate incident response based on the latest intelligence.
Visibility Across Systems
James McQuiggan, Security Awareness Advocate at KnowBe4, says: “While nation-state sophisticated attacks are persistent, utilise discipline, and target gaps in basic security hygiene, we, as defenders, need visibility across their systems, especially email, remote access, and collaboration tools.
Credential theft remains a top method of compromise, and without a strong non-phishable MFA and the least privileged access, attackers move freely once they gain access, he adds. “Security teams must implement Zero-Trust concepts, assume compromise will happen, and focus on limiting movement, not just stopping entry when an attacker gets inside the network. Attackers don’t need new tools when the old ones still work.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.