Threat Research

Dark Web Profile: Void Blizzard

SocRadar
Dark Web Profile: Void Blizzard

Void Blizzard (aka Laundry Bear) is a Russian state-sponsored group active since at least 2024 that targets NATO/EU governments, defense contractors, and critical infrastructure using credential theft, phishing (including QR-based AitM), and “living off the land” cloud abuse. Dutch AIVD/MIVD and Microsoft exposed their methods after attacks such as the September 2024 Dutch police compromise and an April 2025 spear-phishing campaign using Evilginx and a typosquatted domain. #VoidBlizzard #Evilginx

Keypoints

  • Void Blizzard is a Russian state-backed espionage actor active since at least 2024, tracked by Dutch intelligence as “Laundry Bear.”
  • The group focuses on NATO/EU-linked targets: defense ministries, armed forces, defense contractors, foreign affairs, and EU institutions.
  • It primarily leverages stolen credentials, session cookies, password spraying, and phishing rather than custom malware, favoring living-off-the-land techniques in Microsoft cloud environments.
  • In April 2025, Void Blizzard ran a spear-phishing campaign using QR codes leading to a typosquatted domain (micsrosoftonline[.]com) and an Evilginx AitM page to capture credentials and session cookies.
  • Post-compromise, the group abuses Microsoft APIs (Graph, Exchange Online), collects emails, OneDrive/SharePoint files, accesses Teams web chats, and maps Azure AD with AzureHound.
  • Defenses should prioritize identity protection: phishing-resistant MFA (FIDO2), conditional access, monitoring for password spraying, strict delegated-access audits, and phishing detection for typosquatted domains.
  • SOCRadar and similar threat-intel/ASM tools can help detect credential leaks, phishing domains, exposed assets, and suspicious cloud activity tied to Void Blizzard.

MITRE Techniques

  • [T1078] Valid Accounts – Used initial access by leveraging stolen credentials and session cookies purchased from criminal marketplaces (“stolen credentials or session cookies bought on criminal marketplaces”).
  • [T1110.003] Brute Force: Password Spraying – Employed password spraying, trying a few common passwords across many accounts to avoid lockouts (“password spraying, trying a few common passwords across many accounts”).
  • [T1566.002] Phishing: Spearphishing Link – Delivered spear-phishing emails with PDF attachments containing malicious QR codes that redirected to a fake Microsoft login page (“emails contained PDF attachments with malicious QR codes. When scanned, the QR code redirected victims to a fake Microsoft login page”).
  • [T1556.002] Steal or Forge Authentication Certificates – Performed adversary-in-the-middle phishing using Evilginx to capture usernames, passwords, and session cookies in real time (“the phishing site used Evilginx … to steal usernames, passwords, and session cookies in real time”).
  • [T1098.002] Account Manipulation: Add Mailbox Delegation – Added or abused delegated mailbox access to control or view multiple inboxes (“Target accounts with delegated access, which can control or view multiple inboxes”).
  • [T1539] Steal Web Session Cookie – Captured web session cookies via AitM phishing to authenticate into cloud services without credentials (“steal usernames, passwords, and session cookies in real time”).
  • [T1087] Account Discovery – Performed account discovery to enumerate user accounts and identify targets within cloud environments (“Enumerate and download emails from user and shared mailboxes”).
  • [T1069.002] Permission Groups Discovery – Used AzureHound to map Microsoft Entra (Azure AD) and discover permission groups (“uses AzureHound, a publicly available tool, to map Microsoft Entra (Azure AD) environments”).
  • [T1114.002] Email Collection: Remote Email Collection – Enumerated and downloaded emails from user and shared mailboxes via Exchange Online APIs (“Enumerate and download emails from user and shared mailboxes”).
  • [T1530] Data from Cloud Storage – Collected files stored in OneDrive and SharePoint (“Collect files stored in OneDrive or SharePoint”).
  • [T1090] Proxy – Used typosquatted domains and proxy-like infrastructure (non-C2) to relay phishing and session-capture operations (“typosquatted domain (micsrosoftonline[.]com)”).
  • [T1048.003] Exfiltration Over Alternative Protocol – Automated bulk data collection and exfiltration from cloud services rather than traditional C2 channels (“Possibly automate bulk data collection for speed and scale”).

Indicators of Compromise

  • [Domain] Typosquatted phishing domain – micsrosoftonline[.]com (used to host fake Microsoft login pages and Evilginx AitM capture).
  • [Tool/Framework] AitM framework – Evilginx (used to capture usernames, passwords, and session cookies in real time).
  • [Tool] Cloud discovery tool – AzureHound (used to map Microsoft Entra/Azure AD environments).
  • [Account Artifacts] Stolen credentials/session cookies – purchased on criminal marketplaces and used to access Exchange Online/SharePoint (examples: session cookies captured via Evilginx, and other cookie dumps).
  • [Technique/Event] QR-based phishing payload – malicious QR codes embedded in PDF attachments that redirect to spoofed login sites (observed in April 2025 spear-phishing campaign).

Read more: https://socradar.io/dark-web-profile-void-blizzard/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint