Dutch intelligence services have identified a new Russian state-sponsored advanced persistent threat (APT) group, known as Laundry Bear, which is also tracked as Void Blizzard by Microsoft Threat Intelligence.
Active since at least April 2024, this sophisticated cyber espionage operation has targeted NATO countries and Ukraine, employing advanced techniques to infiltrate critical infrastructure and gather intelligence from high-value targets including Dutch police, Ukrainian aviation organizations, and European and US NGOs.
Sophisticated Infrastructure and Attack Methods
Laundry Bear demonstrates exceptional operational security through its use of typosquatted domains and stolen credentials for initial access.
The threat group’s primary attack vector involves spear-phishing campaigns utilizing convincing domain lookalikes such as microsoftonline [.]com, designed to impersonate legitimate Microsoft services.
The group also employs ebsumrnit[.]eu as a malicious sender domain, mimicking the legitimate European Business Summit domain ebsummit[.]eu.
Technical analysis reveals the group’s preference for Cloudflare name servers and PDR Ltd. registrar services, with domains registered using privacy-preserving onionmail[.]org email addresses.
The threat actors configure their infrastructure with Mailgun DNS records for email operations and utilize Evilginx frameworks for credential harvesting.
Notably, the group’s operational timeline shows domains being registered in February and April 2025, with some registrations occurring on the same day Microsoft published its threat intelligence report, indicating a rapid adaptation of its infrastructure.
eurid[.]eu, we find a registration date and registrant contact email for the lookalike domain.Advanced Threat Hunting Reveals Extensive Network
Sophisticated pivoting techniques have uncovered a vast network of over 30 related domains beyond the initially reported indicators.
Security researchers utilized body SHA1 hash analysis to identify domains serving identical JavaScript redirects, revealing connections to 104.36.83[.]170 and multiple subdomains with authentication themes like auth[.]enticator-secure[.]com.
The investigation revealed a certificate SHA1 fingerprint, ade08cd340765e68f65174820b46c0e3d9b52ab4, which linked multiple AWS-hosted IP addresses, indicating shared infrastructure components.
Analysis of host response history spanning eight months revealed the group’s use of HTTP 52x errors and Rick Astley video redirects as potential countermeasures, possibly indicating law enforcement or defensive actions.
The threat group’s infrastructure spans multiple autonomous systems, including AS 14061 (DigitalOcean), AS 16509 (AWS), and AS 54290 (Hostwinds), demonstrating a diversified hosting strategy to maintain operational resilience.
This comprehensive analysis demonstrates how advanced threat hunting methodologies can exponentially expand indicator discovery from initial intelligence reports, providing cybersecurity teams with enhanced visibility into sophisticated state-sponsored operations targeting critical infrastructure and democratic institutions.
.){kind=link}