The cyber espionage group known as Laundry Bear has refined its infiltration techniques, using spoofed domains and spear-phishing campaigns to penetrate sensitive networks across Europe and North America. According to The Register, the group—also identified by Microsoft as Void Blizzard—ramped up its operations in April 2024, targeting government agencies, law enforcement bodies, tech firms, and strategic sectors deemed high-value by the Russian government.
Dutch intelligence services AIVD and MIVD confirmed that Laundry Bear operates with backing from the Russian state and warned of the group’s international threat. The first signs of its activity emerged in September 2024, during an investigation into a credential theft attack targeting Dutch police. Authorities later discovered intrusions into defense, aerospace, and advanced technology companies—many of them restricted from selling to Russia due to Western sanctions following the invasion of Ukraine.
Microsoft Threat Intelligence reported that in October of the same year, the group compromised user accounts at Ukrainian aerospace organizations—entities previously attacked by Seashell Blizzard (also known as Sandworm), another Russian state-aligned threat actor.
Laundry Bear’s operations have not been confined to military targets. Microsoft noted that the group has regularly attempted to breach government bodies and law enforcement in Europe and North America, as well as industries such as telecommunications, healthcare, education, IT, transportation, media, and non-governmental organizations.
In a joint letter to the Dutch Parliament, the AIVD and MIVD revealed that the group operated covertly until its discovery in September 2024, when it accessed confidential information from Dutch police officials. The primary goal: gathering intelligence on Western military equipment production and acquisition, and tracking arms shipments to Ukraine.
So far, Laundry Bear’s attacks have been non-destructive in nature, focused on espionage and data exfiltration. The group often relies on stolen credentials obtained through infostealer malware and, once inside targeted organizations, harvests large volumes of emails and files.
In April 2025, Microsoft observed a new wave of spear-phishing attacks aimed at over 20 NGOs in Europe and the United States. During these campaigns, the attackers impersonated organizers of the “European Defense and Security Summit” and distributed malicious PDFs containing QR codes. Victims who scanned the codes were redirected to a spoofed domain—micsrosoftonline.com—designed to mimic Microsoft’s login page. The group used the open-source tool Evilginx to intercept usernames, passwords, and session cookies when users attempted to “register” for the fake event.
This tactic—known as typosquatting—represents a new phase for the group, suggesting a shift toward more targeted and sophisticated operations, Microsoft warned. Once initial access is gained, the attackers exploit legitimate cloud interfaces like Exchange Online and Microsoft Graph to access inboxes—including shared mailboxes—and cloud-hosted files, automating mass data collection.
Microsoft also found that, in some cases, the attackers accessed Microsoft Teams conversations and messages via the web app, and used the open-source tool AzureHound to map the compromised organization’s Microsoft Entra ID setup, collecting information on users, roles, groups, applications, and devices.
While many of these techniques are common among Russian cyber espionage groups, both Microsoft and Dutch intelligence services emphasize that Laundry Bear operates independently. Nonetheless, the group’s tactics bear similarities to those of APT28 (also known as Fancy Bear), a GRU-linked unit responsible for targeting tech firms, logistics providers, and government agencies across NATO countries supporting Ukraine since 2022.
In recent weeks, 21 government agencies from countries including the United States, United Kingdom, Canada, Germany, France, Czech Republic, Poland, Austria, Denmark, and the Netherlands have issued a joint alert about an ongoing Fancy Bear campaign. This effort targets email servers and internet-connected cameras at Ukrainian border checkpoints to track aid deliveries.
Despite overlaps in target selection and the use of techniques like password spraying, Dutch intelligence services insist that Laundry Bear and APT28 are distinct entities. According to reports from Reuters and The Moscow Times, Dutch investigations have traced Laundry Bear’s cyber operations against Western governments and institutions back to at least 2024.
Dutch intelligence agencies conclude that these cyberattacks are not isolated incidents but part of a broader coordinated effort to collect strategic intelligence on Western military capabilities and arms deliveries to Ukraine.
