Russia-Affiliated Void Blizzard Impersonates European Defense & Security Summit in Phishing Emails

• Russia-affiliated Void Blizzard APT is sending fake European Defense & Security Summit emails.
• The phishing campaign relies on PDF attachments that redirect to the attackers’ infrastructure.
• Void Blizzard’s operations have demonstrated notable reach, compromising government, defense, telecos, healthcare, transportation, media, NGOs, and education.

A Russia-affiliated group known as Void Blizzard emerged, compromising government bodies, defense contractors, telecommunications providers, healthcare organizations, transportation networks, media outlets, NGOs, and educational institutions.

This significant escalation in nation-state cyberespionage activity was identified by Microsoft Threat Intelligence in a report published today.

Initially, Void Blizzard gained unauthorized access by exploiting purchased credentials obtained through criminal infostealer ecosystems and employing widespread password spray attacks. 

Since April 2025, the group has shifted towards more sophisticated spear phishing tactics, leveraging adversary-in-the-middle (AitM) attacks. 

Notably, Microsoft observed Void Blizzard distributing phishing emails impersonating the European Defense and Security Summit, using malicious QR codes in PDF attachments to redirect victims to counterfeit authentication portals designed to harvest login credentials and session cookies.

Once inside, Void Blizzard executes large-scale data exfiltration by abusing cloud APIs and automating the collection of emails, files, and communications. 

They have also been observed enumerating organizational directories and accessing cloud-based messaging platforms, maximizing intelligence gains from compromised accounts.

Active since at least April 2024, Void Blizzard (also tracked as LAUNDRY BEAR) has rapidly become a high-priority concern for organizations operating in critical sectors across Europe and North America, with a pronounced focus on entities aligned with NATO and Ukraine. 

Many of these targets overlap with victims of other prominent Russian state-sponsored actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard, which highlights a coordinated intelligence-gathering effort likely supporting Russian strategic objectives against NATO states and Ukraine.