Void Blizzard

Void Blizzard is a Russian state-sponsored cyber espionage threat actor aligned with Russian government objectives. It is also tracked as Laundry Bear and UAC-0190. Reporting in the provided content states the group has been active since at least April 2024 and has conducted large-scale espionage operations targeting organizations in NATO member states and Ukraine, as well as victims in Europe and North America. Reported target sectors include government agencies, defense suppliers and contractors, critical infrastructure providers, transportation, media, healthcare, educational institutions, NGOs, and security and defense organizations. Dutch authorities attributed the September 2024 compromise of the Dutch National Police to this actor. The group is described as focusing heavily on cyber espionage and mass email harvesting. Reported post-compromise objectives include stealing emails and files from cloud environments, accessing Microsoft Teams conversations, and cataloging Microsoft Entra ID configurations to map organizational structures and privilege relationships. Microsoft reported that Void Blizzard used AzureHound during discovery to enumerate Entra ID configurations. The content also states the group primarily uses stolen session tokens and purchased or stolen credentials for access, and uses a U.S.-based commercial proxy service plus VPN routing to mask origin and bypass geographic restrictions. Observed tradecraft in the provided content includes spear-phishing with typosquatted domains impersonating Microsoft authentication pages, adversary-in-the-middle phishing using Evilginx, and QR codes embedded in PDF attachments. One campaign targeted more than 20 NATO-affiliated organizations, and another targeted NGOs in Europe and the United States. CERT-UA reporting in the content says Void Blizzard also used sophisticated social-engineering approaches against Ukrainian armed forces and government institutions, including trust-building over phone or messaging platforms before sending malicious files. The content further links Void Blizzard/Laundry Bear/UAC-0190 with operations against Ukrainian entities. CERT-UA attributed with medium confidence a charity-themed espionage campaign targeting Ukraine’s Defense Forces between October and December 2025 to Laundry Bear, delivering the PluggyApe Python backdoor via Signal and WhatsApp social engineering and fake charity websites. Additional reporting cited in the content links the group with low confidence to the February 2026 DRILLAPP backdoor campaign targeting Ukrainian organizations. The content also notes use of the PLUGGYAPE malware family against Ukrainian defense forces. Aliases and tracking names directly mentioned in the content: Void Blizzard, Laundry Bear, and UAC-0190.