Void Blizzard

Void Blizzard is a Russian state-sponsored espionage threat actor, also tracked as Laundry Bear and UAC-0190. The group has been described as active since at least April 2024 and is linked in the reporting to Russian government objectives. Reported targeting includes Ukraine, NATO-affiliated organizations, and organizations in Europe and North America, with specific focus on government, defense, transportation, media, NGOs, healthcare, and other entities important to Russian intelligence requirements. Multiple reports state the group targeted Ukrainian government institutions, members of Ukraine’s armed forces and defense forces, and more than 20 NATO-affiliated organizations. Observed tradecraft includes social engineering via Signal, WhatsApp, Telegram, phone calls, video chats, and other messaging platforms; use of legitimate accounts, Ukrainian mobile numbers, and Ukrainian-language interaction to build trust; charity-themed lures; fake charity websites; password-protected archives; deceptive double extensions such as .docx.pif and .pdf.exe; QR codes embedded in PDF attachments; and adversary-in-the-middle phishing using Evilginx. Reporting also states Void Blizzard used stolen credentials and authentication tokens, sometimes alongside MFA fatigue techniques, and in some cases accessed Microsoft Teams via the web client. Post-compromise activity includes email and file theft, long-term espionage, and cloud identity discovery. Microsoft-attributed reporting says the group used stolen credentials to collect emails and files. Unit 42 reporting states Void Blizzard repurposed AzureHound for post-compromise discovery in Microsoft Entra ID environments, including enumeration of users, devices, service principals, roles, app role assignments, key vault policies, storage accounts, and cloud services. Malware and tooling linked in the content include PLUGGYAPE and DRILLAPP. CERT-UA attributed with medium confidence a 2025 campaign against Ukraine’s Defense Forces to Void Blizzard/Laundry Bear/UAC-0190, delivering the Python backdoor PLUGGYAPE via messaging-app social engineering and fake charity sites. PLUGGYAPE supports remote command execution, persistence via Windows Run registry changes, host profiling, and C2 over WebSocket or MQTT, with later variants retrieving base64-encoded C2 details from paste services such as rentry.co and pastebin.com and adding obfuscation and anti-analysis or VM checks. Separate 2026 reporting linked with low confidence a DRILLAPP backdoor campaign targeting Ukrainian organizations to Laundry Bear/Void Blizzard based on overlaps with earlier tradecraft, including charity-themed lures and use of public text-sharing services. DRILLAPP abused Microsoft Edge headless and debugging features to access the file system and capture microphone, camera, and screen data. The content also references Dutch intelligence tracking the group as Laundry Bear and Microsoft tracking it as Void Blizzard, and states the group was linked in reporting to a 2024 breach of Dutch police systems.