Latest Threats

Void Blizzard (LAUNDRY BEAR) Russian State-Sponsored Cloud-Espionage Actor — Russian National Denis Nikolayevich Obrezko Charged (June 2026) — Threadlinqs Intelligence

Threat ID: TL-2026-0796 · Severity: HIGH · Status: ACTIVE · Category: APT

Attribution: Void Blizzard · Russia · ESPIONAGE

Void Blizzard (also tracked as LAUNDRY BEAR) is a Russia-affiliated state-sponsored cyberespionage actor, active since at least April 2024, that conducts high-volume cloud-abuse operations against

Void Blizzard (Microsoft) / LAUNDRY BEAR (Dutch AIVD/MIVD) is a Russia-affiliated threat actor assessed with high confidence to conduct cyberespionage in support of Russian strategic intelligence objectives. Microsoft Threat Intelligence first publicly detailed the group on May 27, 2025 in a coordinated disclosure with the Netherlands General Intelligence and Security Service (AIVD), the Netherlands Defence Intelligence and Security Service (MIVD), and the U.S. FBI. The actor has been active since at least April 2024 and disproportionately targets NATO member states, the European Union, and Ukraine, as well as Eastern and Central Asia. The group is characterized by methodical but technically unsophisticated tradecraft applied at scale. Initial access is most often achieved using stolen sign-in credentials and web session cookies purchased from commodity infostealer marketplaces, which are then leveraged in password-spray and pass-the-cookie (web session cookie replay) attacks against Microsoft Exchange Online, SharePoint Online, and Entra ID. Beginning in April 2025, the actor escalated to targeted adversary-in-the-middle (AitM) spear phishing using the open-source Evilginx framework. In one April 2025 campaign, Void Blizzard sent more than 20 European and U.S. non-governmental organizations spoofed invitations to a fictitious 'European Defense and Security Summit,' delivering PDF attachments containing malicious QR codes that redirected victims to a typosquatted domain (micsrosoftonline[.]com) impersonating the Microsoft Entra authentication portal to capture credentials and MFA tokens. Following authentication, the actor abuses legitimate cloud APIs — Exchange Online and Microsoft Graph — to enumerate user mailboxes, shared mailboxes, and delegated resources, then performs bulk automated collection of emails and cloud-hosted files. The actor also accesses Microsoft Teams conversations through the web client and catalogs the victim's Microsoft Entra ID configuration (users, roles, and tenant structure) for organizational mapping, in some cases using the publicly available AzureHound tool for Entra enumeration. The group generally avoids deploying custom malware, instead living off legitimate cloud services and commercial proxy/VPN infrastructure to blend in; operators select U.S.-based commercial proxy IPs matching the victim's region to evade geographic conditional-access controls. Confirmed and reported victims include the Netherlands national police (September 2024, theft of officers' work contact details), a Ukrainian aviation organization previously targeted by GRU actor Seashell Blizzard (October 2024), 20+ NGOs in the April 2025 phishing campaign, and at least 11 U.S. companies cited in the June 2026 DOJ charging documents. On June 11, 2026, Denis Nikolayevich Obrezko appeared in U.S. court and agreed to be taken into custody pending trial on a charge of conspiracy to commit unauthorized computer access; investigators allege he purchased the virtual private servers and registered the domain names used to support Void Blizzard operations. No CVE is associated with this actor — intrusions rely on credential abuse and social engineering rather than software vulnerabilities.

MITRE ATT&CK Techniques

T1583 Acquire Infrastructure; T1583 Acquire Infrastructure: Domains; T1586 Compromise Accounts; T1588 Obtain Capabilities: Tool; T1078 Valid Accounts: Cloud Accounts; T1566 Phishing: Spearphishing Attachment; T1566 Phishing: Spearphishing Link; T1110 Brute Force: Password Spraying; T1539 Steal Web Session Cookie; T1557 Multi-Factor Authentication Interception (AitM); T1555 Credentials from Password Stores (infostealer-sourced); T1098 Account Manipulation: Additional Email Delegate Permissions; T1078 Valid Accounts; T1550 Web Session Cookie (pass-the-cookie); T1087 Account Discovery: Cloud Account; T1069 Permission Groups Discovery: Cloud Groups; T1538 Cloud Service Dashboard / Tenant Enumeration (AzureHound); T1114 Email Collection: Remote Email Collection; T1530 Data from Cloud Storage; T1213 Data from Information Repositories (SharePoint/Teams); T1090 Proxy: Multi-hop / Commercial Proxy; T1567 Exfiltration Over Web Service; T1537 Transfer Data to Cloud Account

Target sectors: government, law enforcement, defense, defense industrial base, transportation, aviation, communications, telecommunications, information technology, healthcare, education, media

Target regions: Europe, North America, Ukraine, Netherlands, NATO member states, European Union, Eastern Asia, Central Asia

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 19 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

APT, HIGH, threat intelligence, cybersecurity, T1583, T1583, T1586, T1588, T1078, T1566, T1566, T1110, T1539, T1557

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison