Laundry Bear Infrastructure, Key Tactics and Procedures Uncovered

A sophisticated Russian state-sponsored advanced persistent threat (APT) group known as Laundry Bear has emerged as a significant cybersecurity concern, targeting NATO countries and Ukraine through an extensive campaign of espionage and intelligence gathering.

Also tracked as Void Blizzard by Microsoft Threat Intelligence, this threat actor has been actively operating since at least April 2024, demonstrating advanced capabilities in social engineering and infrastructure obfuscation.

The group has strategically focused its operations on high-value targets including the Dutch police force, a Ukrainian aviation organization, and multiple European and US non-governmental organizations.

Their attack methodology relies heavily on stolen credentials and session cookies for initial access, combined with sophisticated spear-phishing campaigns that utilize carefully crafted domain typosquats designed to deceive even security-conscious users.

Validin analysts identified the threat actor’s infrastructure through comprehensive analysis of initially reported indicators, uncovering a complex web of malicious domains and supporting infrastructure.

The investigation revealed that Laundry Bear operates through three primary domain indicators: micsrosoftonline[.]com serving as the main spear-phishing platform utilizing Evilginx frameworks, ebsumrnit[.]eu functioning as a malicious email sender, and outlook-office[.]micsrosoftonline[.]com acting as an additional phishing subdomain.

The threat group’s operational security demonstrates sophisticated planning and execution.

Microsoft’s initial reporting provided the foundation for deeper infrastructure analysis, revealing systematic patterns in domain registration and deployment that suggest coordinated campaign management across multiple operational phases.

Domain Typosquatting and Infrastructure Analysis

Laundry Bear’s most notable tactical approach involves the systematic creation of lookalike domains that closely mimic legitimate services.

The group registered multiple variations of the European Business Summit domain, including ebsumrnit[.]eu, ebsurnmit[.]eu, ebsummlt[.]eu, ebsummt[.]eu, ebsumlts[.]eu, and ebsum[.]eu, all utilizing the same infrastructure patterns and registration methodologies.

Technical analysis reveals the group’s preference for PDR Ltd. as their domain registrar, consistently using Cloudflare name servers and privacy-preserving email addresses from onionmail[.]org services.

The domains employ mailgun[.]org DNS records for email functionality, with each malicious domain configured with specific email subdomains pointing to Mailgun infrastructure through CNAME records.

The group’s JavaScript-based redirection techniques demonstrate technical sophistication.

Analysis of captured HTTP responses revealed consistent use of window.location.href redirectors, with the following code structure deployed across multiple compromised domains:-

window.location.href="https://outlook.live.com"

Infrastructure pivoting through body SHA1 hashes, specifically 38c47d338a9c5ab7ccef7413edb7b2112bdfc56f and 2c0fa608bd243fce6f69ece34addf32571e8368f, revealed additional domains including enticator-secure[.]com, maidservant[.]shop, and it-sharepoint[.]com.

These discoveries expanded the known infrastructure footprint significantly, demonstrating the group’s extensive operational capabilities and long-term strategic planning in maintaining persistent access to target environments.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now