New Russian Cyber-Spy Crew Laundry Bear Joins the Email-Stealing Pack
In a disturbing turn of events, a previously unknown Kremlin-linked group has been identified as conducting cyber-espionage operations against Dutch police, NATO member states, Western tech companies, and other organizations of interest to the Russian government. Dubbed "Laundry Bear" by Dutch intelligence services and "Void Blizzard" by Microsoft, this new Russian cyber-spy crew has been wreaking havoc since at least April 2024.
A New Player in the Game
According to a joint advisory from the Netherlands General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), Laundry Bear has only carried out non-destructive cyber attacks to date, most likely for espionage purposes. These operations have targeted defense, aerospace, and space technology companies that produce military equipment, as well as firms that produce high-end technologies sought by Russian President Vladimir Putin but cannot obtain due to Western sanctions.
A Global Reach
The hacking crew has also obtained access to several Ukrainian aviation organization user accounts, Microsoft Threat Intelligence said in a recent report. This organization had previously been targeted by Russian-intelligence-linked Seashell Blizzard, aka Sandworm, in 2022. Laundry Bear regularly tries to compromise government organizations and law enforcement agencies in Europe and North America, as well as telecommunications, defense industrial base, healthcare, education, IT, transportation, media, and NGOs.
A Sophisticated Attack Vector
The group typically uses stolen credentials procured from "commodity infostealer ecosystems" and then breaks into victim organizations to collect a high volume of email and files. As recently as April 2025, Microsoft Threat Intelligence Center observed Void Blizzard expanding its playbook with targeted spear-phishing attacks aimed at credential theft. This particular campaign targeted over 20 NGOs in Europe and the US.
A New Tactic: Typosquatted Domains
The Russian-linked crew posed as organizers of the European Defense and Security Summit, sending emails containing a malicious PDF designed to lure recipients into an adversary-in-the-middle (AitM) phishing trap. The attachment contained a QR code that redirected victims to Void Blizzard-controlled infrastructure at the typosquatted domain, micsrosoftonline[.]com. This use of a typosquatted domain suggests that Void Blizzard is augmenting its opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors.
A Distinct Group, But Similar Tactics
While all of these tactics are common among Russian government espionage and offensive cyber gangs, Microsoft and the Dutch intel services assert that Laundry Bear is its own distinct group. "The services regularly found that attacks by LAUNDRY BEAR overlap with the modus operandi of APT28," aka Fancy Bear, according to the AIVD and MIVD advisory. Fancy Bear is another GRU-linked group that has been targeting Western and NATO-country logistics providers, tech companies, and government organizations providing transport and foreign assistance to Ukraine since 2022.
The threat actor's prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine. In addition to the previously mentioned targets, Laundry Bear has also been known to use password spraying attacks and access Microsoft Teams conversations and messages via the Microsoft Teams web client application. The group has enumerated compromised organizations' Microsoft Entra ID configurations using the publicly available AzureHound tool to gain information about users, roles, groups, applications, and devices belonging to that tenant.
In light of this new threat, it is essential for organizations in critical sectors to take immediate action. This includes implementing robust security measures, such as two-factor authentication, monitoring email and network activity, and conducting regular vulnerability assessments. By working together, we can mitigate the risk posed by Laundry Bear and other Russian government-sponsored cyber threats.