CyberSecurity news
FlagThis
Rescana@Rescana
//
Void Blizzard, a cyber threat actor with ties to Russia, has been identified as conducting extensive cyberespionage operations targeting critical sectors across Europe and North America. These operations, active since at least April 2024 and escalating in 2025, are aimed at gathering intelligence crucial to Russian governmental objectives. The targeted sectors include government, defense, transportation, media, NGOs, and healthcare, reflecting a broad scope of interest. Void Blizzard, also known as LAUNDRY BEAR, employs various techniques to infiltrate organizations and steal sensitive data.
Spear phishing and credential theft are among the primary methods used by Void Blizzard. The group has been observed using stolen credentials sourced from infostealer ecosystems and launching spear phishing campaigns with typosquatted domains to mimic authentication portals. They also utilize adversary-in-the-middle (AitM) tactics with tools like Evilginx to intercept credentials. A notable campaign in April 2025 targeted over 20 NGOs with a spear phishing attack using a typosquatted domain resembling a Microsoft Entra authentication page. Their post-compromise activities include cloud service abuse, leveraging legitimate cloud APIs for data enumeration and exfiltration, and automating the collection of emails and files from cloud services like Exchange Online and SharePoint.
Meanwhile, security researchers at ESET have uncovered a separate but related cyberespionage campaign dubbed "BladedFeline" targeting Iraqi and Kurdish officials. This operation, linked to OilRig, an Iran-based APT group, utilizes malicious tools such as Whisper, PrimeCache, and Shahmaran to gain unauthorized access to computer systems. The attackers primarily compromise webmail servers to deploy Whisper, a tool designed for data exfiltration and command execution. PrimeCache, a backdoor Internet Information Services (IIS) module, allows persistent covert access to targeted servers. The campaign also highlights the continued use of the Shahmaran backdoor, previously associated with attacks targeting Kurdish diplomatic officials, indicating a sustained interest in intelligence gathering related to Kurdish affairs.
ImgSrc: static.wixstati
References :
Spear phishing and credential theft are among the primary methods used by Void Blizzard. The group has been observed using stolen credentials sourced from infostealer ecosystems and launching spear phishing campaigns with typosquatted domains to mimic authentication portals. They also utilize adversary-in-the-middle (AitM) tactics with tools like Evilginx to intercept credentials. A notable campaign in April 2025 targeted over 20 NGOs with a spear phishing attack using a typosquatted domain resembling a Microsoft Entra authentication page. Their post-compromise activities include cloud service abuse, leveraging legitimate cloud APIs for data enumeration and exfiltration, and automating the collection of emails and files from cloud services like Exchange Online and SharePoint.
Meanwhile, security researchers at ESET have uncovered a separate but related cyberespionage campaign dubbed "BladedFeline" targeting Iraqi and Kurdish officials. This operation, linked to OilRig, an Iran-based APT group, utilizes malicious tools such as Whisper, PrimeCache, and Shahmaran to gain unauthorized access to computer systems. The attackers primarily compromise webmail servers to deploy Whisper, a tool designed for data exfiltration and command execution. PrimeCache, a backdoor Internet Information Services (IIS) module, allows persistent covert access to targeted servers. The campaign also highlights the continued use of the Shahmaran backdoor, previously associated with attacks targeting Kurdish diplomatic officials, indicating a sustained interest in intelligence gathering related to Kurdish affairs.
ImgSrc: static.wixstati
Share:
References :
- be4sec: Cyberespionage Campaign Targets Iraqi and Kurdish Officials with Sophisticated Malware
- Rescana: Void Blizzard Cyberespionage: Targeting Critical Sectors and Systems in Europe and North America
Classification:
- HashTags: #cyberespionage #threatactor #cybersecurity
- Company: Rescana
- Target: Europe and North America Critical Sectors, Iraqi and Kurdish Officials
- Attacker: Void Blizzard
- Feature: cyberespionage
- Malware: Whisper, PrimeCache, Shahmaran
- Type: Espionage
- Severity: Major