Hunting Laundry Bear Infrastructure Analysis Guide and Findings

“Laundry Bear, as tracked by Dutch Intelligence (also tracked as Void Blizzard by Microsoft Threat Intelligence), is a Russian state-sponsored APT that has been active since at least April 2024 and has targeted NATO countries and Ukraine for intelligence gathering. This threat group has been reported using stolen credentials or session cookies for initial access and has leveraged spear phishing with domain typosquats like micsrosoftonline[.]com. Targets include the Dutch police, a Ukrainian aviation organization, and European and US NGOs. This blog expands on public intelligence showcasing ways we’ve pivoted and discovered new infrastructure and activity.\n\nThe initial reporting for this threat actor by Microsoft listed three actor-controlled domain indicators:\n\nmicsrosoftonline[.]com - spear-phishing domain (Evilginx)\nebsumrnit[.]eu - malicious sender\noutlook-office[.]micsrosoftonline[.]com - spear-phishing domain\n\nTo read the complete article see:\n\nHunting Laundry Bear: Infrastructure Analysis Guide and Findings\n