Dark Web Profile: Void Blizzard

Void Blizzard is a newly identified Russian state-sponsored cyber threat group. Also known as Laundry Bear, the group first drew attention after an attack on the Dutch police in September 2024. Dutch intelligence services AIVD and MIVD, in partnership with Microsoft, have exposed the group’s methods and targets.

Who is Void Blizzard?

Void Blizzard, tracked by Dutch intelligence as “Laundry Bear,” is a Russian state-backed cyber threat actor. The group has operated since at least 2024. It focuses on espionage, targeting governments, defense sectors, and critical infrastructure in NATO and EU countries.

Threat actor card for Void Blizzard

Void Blizzard uses simple but effective techniques. It avoids detection by using tools already present in victim environments, a method known as “living off the land.” It often buys stolen credentials or session cookies from criminal marketplaces, making it harder to trace.

Though similar in style to known Russian groups like APT28, Void Blizzard is a separate actor. It has a high success rate, likely due to automation and its ability to act quickly after gaining access. The group’s methods suggest a strong understanding of Western military and tech supply chains.

What are Void Blizzard’s Targets?

Void Blizzard mainly targets organizations linked to NATO and the European Union. Its focus includes:

• Defense ministries
• Armed forces and military branches
• Defense contractors and aerospace firms
• Foreign affairs ministries and EU institutions

Overview of the most targeted industries (AIVD)

The group aims to steal sensitive data, especially related to military production, procurement, and weapons deliveries to Ukraine. It also targets companies that produce advanced technologies restricted by Western sanctions.

Beyond military targets, Void Blizzard goes after:

• High-tech and IT service providers
• Digital infrastructure companies
• Political parties, NGOs, media, and education sectors
• Critical infrastructure organizations

These targets often act as entry points to more valuable systems. By compromising trusted suppliers or service providers, the group can access networks belonging to governments or other high-value targets.

What are Void Blizzard’s Techniques?

Void Blizzard combines low-complexity attack methods with stealthy, persistent access. The group rarely uses malware. Instead, it relies on stolen credentials, phishing, and abuse of built-in cloud services. Despite using unsophisticated tools, Void Blizzard has achieved high success rates, especially in government and critical sectors.

Initial Access

Void Blizzard often gains access using stolen credentials or session cookies bought on criminal marketplaces. These credentials are used to log into Microsoft services like Exchange Online or SharePoint without triggering security alerts. In many cases, they also use password spraying, trying a few common passwords across many accounts to avoid lockouts or detection.

In April 2025, Microsoft observed a more advanced spear phishing campaign by Void Blizzard. The group sent fake invitations to the European Defense and Security Summit to NGOs in the US and Europe. These emails contained PDF attachments with malicious QR codes. When scanned, the QR code redirected victims to a fake Microsoft login page hosted on a typosquatted domain (micsrosoftonline[.]com). The phishing site used Evilginx, an adversary-in-the-middle (AitM) attack framework, to steal usernames, passwords, and session cookies in real time.

Phishing email body (Microsoft)

Post-Compromise Actions

Once inside a system, Void Blizzard exploits cloud APIs like Microsoft Graph and Exchange Online. They:

• Enumerate and download emails from user and shared mailboxes
• Collect files stored in OneDrive or SharePoint
• Target accounts with delegated access, which can control or view multiple inboxes
• Possibly automate bulk data collection for speed and scale

In some cases, they have accessed Microsoft Teams chats via the web client to collect more internal communication.

They also use AzureHound, a publicly available tool, to map Microsoft Entra (Azure AD) environments. Furthermore Void Blizzard uses living off the land methods. They rely on tools already present in cloud environments and avoid installing malware. They often act within the limits of a compromised Microsoft account, which helps them bypass traditional security tools.

They avoid expanding into deeper network layers, choosing instead to exploit what’s already available in the Microsoft ecosystem.

How to Defend Against Void Blizzard?

Defending against Void Blizzard requires strong identity protection, cloud security hygiene, and constant monitoring. The group’s strength lies in abusing trusted accounts and cloud tools, not in creating complex malware. This makes traditional antivirus tools less effective and shifts the focus toward identity and access protection.

1. Enforce Strong Authentication

• Use phishing-resistant MFA, such as FIDO2 hardware tokens or app-based authentication. Avoid SMS-based MFA, which can be bypassed.
• Implement Conditional Access policies to restrict logins based on IP range, device type, or location.

2. Monitor for Suspicious Activity

• Use SIEM (Security Information and Event Management) tools to track login attempts, mailbox access, and changes to privileges.
• Monitor for password spraying attempts — look for repeated login failures across multiple accounts from a single IP.

3. Strengthen Credential Protection

• Block the use of weak or common passwords like “Welcome2024” or “Password123.”
• Disable inactive accounts and apply strict rules for privileged users.
• Regularly audit and clean up accounts with delegated access.

4. Limit Access to Cloud Resources

• Restrict access to Exchange Online, SharePoint, and Teams to managed devices and known IPs.
• Use least privilege principles to minimize what any user can access.
• Control API access and limit automated tools unless required.

5. Detect and Stop Phishing

• Educate staff to spot phishing emails, QR code traps, and spoofed domains.
• Use email filtering to detect and block typosquatted domains.
• Delete cookies regularly and expire session tokens quickly to limit the use of stolen credentials.

6. Secure BYOD and Endpoints

• Avoid Bring Your Own Device (BYOD) unless strictly controlled.
• Apply centralized device management and require up-to-date endpoint protection.

7. Prepare for Incident Response

• Conduct regular threat hunting for signs of Void Blizzard techniques, especially in Microsoft environments.
• Create a response plan for credential-based attacks, including quick account lockouts and email search tools.

How Can SOCRadar Help?

SOCRadar offers a powerful set of tools that enhance your ability to detect, analyze, and respond to threats like Void Blizzard. By combining threat intelligence, surface monitoring, and brand protection, SOCRadar helps you stay ahead of stealthy attackers who exploit credentials, phishing channels, and cloud services.

Cyber Threat Intelligence (CTI)

This module delivers real-time, actionable insights from a wide range of sources, including the dark web, social media, and breach feeds. It supports:

• Threat hunting, Threat actor tracking, and Vulnerability Intelligence

SOCRadar’s Dark Web Search Engine

• Identity & Access Intelligence to monitor credential abuse
• Tactical and Operational Intelligence for deeper context on attacker behavior

Attack Surface Management (ASM)

This module offers the view of a hacker, helping you detect weaknesses in your digital footprint. It focuses on:

• Discovering exposed assets like forgotten domains or unpatched services

SOCRadar’s Attack Surface Management, Company Vulnerabilities tab

• Continuous monitoring of web apps, ports, SSL/TLS certs, and DNS (critical for catching attack paths into Microsoft cloud services)

Brand Protection & Advanced Dark Web Monitoring

Monitoring threats to your brand and sensitive data is essential against actors like Void Blizzard. These modules help with:

• Detecting phishing domains that imitate Microsoft login portals
• Flagging credential leaks, cookie dumps, and underground sales of compromised data

SOCRadar’s Advanced Dark Web Monitoring

What are MITRE ATT&CK TTPs of Void Blizzard?

Source: (AIVD)