Buzzapp Master 
A previously unknown Kremlin-linked group has conducted cyber-espionage operations against Dutch police, NATO member states, Western tech companies, and other organizations of interest to the Russian government since at least April 2024, according to Dutch intelligence services and Microsoft.
The Dutch services call the group Laundry Bear, while Microsoft dubbed it Void Blizzard. Both warn the crew appears to be backed by the Russian government.
“LAUNDRY BEAR has only carried out non-destructive cyber attacks to date, most likely for espionage purposes,” according to a joint advisory from the Netherlands General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), which initially identified the group during an investigation into a credential-stealing attack against Dutch police in September 2024.
That same year, the Russian spies broke into defense, aerospace, and space technology companies that produce military equipment, plus firms that produce high-end technologies that Putin wants but can’t obtain due to Western countries’ sanctions, the Dutch services added.Â
In October 2024, the hacking crew obtained access to several Ukrainian aviation organization user accounts, Microsoft Threat Intelligence said in a Tuesday report, adding that this org had previously been targeted by Russian-intelligence-linked Seashell Blizzard, aka Sandworm, in 2022.Â
The newly discovered cyberspy crew “regularly” tries to compromise government orgs and law enforcement in Europe and North America, and has also targeted telecommunications, defense industrial base, healthcare, education, IT, transportation, media, and NGOs, we’re told. “In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general,” Microsoft wrote.
Adding typosquatting to the arsenal
The group typically uses stolen credentials procured from “commodity infostealer ecosystems,” and then after breaking into victim organizations, “collects a high volume of email and files,” Microsoft added.Â
As recently as April 2025, Microsoft Threat Intelligence Center observed Void Blizzard expanding its playbook with targeted spear-phishing attacks aimed at credential theft. This particular campaign targeted more than 20 NGOs in Europe and the US. The Russian-linked crew posed as organizers of the European Defense and Security Summit, sending emails containing a malicious PDF designed to lure recipients into an adversary-in-the-middle (AitM) phishing trap.
The attachment contained a QR code that redirected victims to Void Blizzard-controlled infrastructure at the typosquatted domain, micsrosoftonline[.]com, which hosted a phishing page spoofing the Microsoft Entra (formerly Azure Active Directory) login portal. The setup used the open-source Evilginx kit to intercept usernames, passwords, and session cookies as users attempted to “register” for the bogus summit.
This use of a typosquatted domain, which is a newly observed tactic for the group, “suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors,” Microsoft warned.
Once they’ve gained initial access, they abuse legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to snoop through mailboxes, including any shared mailboxes, and cloud-hosted files. Then they automate bulk collection of cloud-hosted data.
“In a small number of Void Blizzard compromises, Microsoft Threat Intelligence has also observed the threat actor accessing Microsoft Teams conversations and messages via the Microsoft Teams web client application,” Redmond added. “The threat actor has also in some cases enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant.”
Russia’s Fancy Bear swipes a paw at logistics, transport orgs’ email servers
Feds finger Russian ‘behind Qakbot malware’ that hit 700K computers
Europe is Russian to sanction Putin’s pals over ‘hybrid’ threats
Cybercrime is ‘orders of magnitude’ larger than state-backed ops, says ex-White House advisor
While all of these tactics are common among most Russian government espionage and offensive cyber gangs, Microsoft and the Dutch intel services assert that Laundry Bear is its own distinct group.
“The services regularly found that attacks by LAUNDRY BEAR overlap with the modus operandi of APT28,” aka Fancy Bear, according to the AIVD and MIVD advisory.
Fancy Bear is another GRU-linked group that has been targeting Western and NATO-country logistics providers, tech companies, and government orgs providing transport and foreign assistance to Ukraine since 2022.Â
Just last week, 21 government agencies from the US, UK, Canada, Germany, France, Czech Republic, Poland, Austria, Denmark, and the Netherlands sounded the alarm on an ongoing Fancy Bear campaign targeting these sectors’ email servers and internet-connected cameras at Ukrainian border crossings to track aid shipments.
“In addition to a similar target selection, the use of password spraying attacks also overlaps,” the Dutch services said, but added, “LAUNDRY BEAR and APT28 are two different actors.” ®
GIPHY App Key not set. Please check settings