Microsoft’s Threat Intelligence Center (MSTIC) has issued a critical new security warning. It concerns global cloud abuse activities orchestrated by a threat actor called Void Blizzard. Void Blizzard also known as LAUNDRY BEAR is assessed with high confidence as Russia-affiliated. This cyberespionage group has been highly active since at least the month of April 2024. It focuses its dangerous cyberespionage operations primarily on NATO member states and also Ukraine. The group’s main targets include many critical sectors like telecommunications and information technology. Defense healthcare government media NGOs and transportation sectors are also consistently targeted. Their clear operational intent is to gather vital intelligence supporting Russian strategic objectives.
Void Blizzard’s specific targeting often overlaps with other known Russian state-sponsored threat actors.
These other groups include notable actors like Forest Blizzard and also Midnight Blizzard. This significant overlap strongly highlights a coordinated Russian effort in espionage and intelligence. It poses a considerably heightened risk to nations that are currently supporting Ukraine. Void Blizzard’s operations demonstrate alarming success due to their persistent and very targeted approach. Initially the group relied on rather unsophisticated methods such as basic password spraying attacks. They also frequently used stolen credentials likely obtained from various criminal infostealer ecosystems. However the group has since significantly evolved its attack tactics over the past year. By April 2025 MSTIC observed Void Blizzard employing adversary-in-the-middle (AitM) spear phishing.
These sophisticated campaigns targeted over twenty NGOs located in Europe and the United States.
Void Blizzard used a typosquatted domain that mimicked Microsoft Entra’s legitimate authentication portal. They deployed malicious PDF documents containing QR codes within their targeted phishing email campaigns. These deceptive QR codes then redirected unsuspecting victims to various attacker-controlled phishing pages. Void Blizzard actively leverages the open-source Evilginx framework to facilitate their credential theft. This helps them to capture usernames passwords and also critical user session cookies. This clearly shows a tactical shift toward more precise and deceptive initial access techniques. Post-compromise the group exploits legitimate cloud APIs like Exchange Online and Microsoft Graph. This access is then used to harvest large volumes of emails and files. They often automate bulk data collection from compromised accounts including shared mailboxes. In some select cases they accessed Microsoft Teams conversations and used tools like AzureHound.
Microsoft’s recent report underscores the enduring threat posed by such determined threat actor groups. Even seemingly rudimentary tactics can be highly effective when wielded with sheer persistence. Void Blizzard’s focus on critical infrastructure is evident in its successful compromises. These included Ukrainian aviation organizations previously targeted by other known Russian GRU hacking actors. This reflects Russia’s sustained strategic interest in disrupting key sectors supporting Ukraine’s efforts. Collaborative analytical efforts with Dutch AIVD MIVD and the US FBI were crucial. Microsoft strongly urges organizations in all at-risk sectors to implement specific detections. Securing cloud environments thoroughly and educating users against phishing lures are very important. As Void Blizzard refines its approach the global cybersecurity community must remain vigilant.
Reference:
