Linkedin X-twitter
    • November 25, 2025

    Suspected Leader of New Russian Hacking Group Arrested in Thailand

    In a significant victory for international law enforcement, a suspected key player in a new Russian state-sponsored hacking group has been arrested. This operation deals a blow to a group that has been aggressively targeting NATO and Ukraine.

    Here is a visual summary of the arrest and the threat actor profile:

    The Arrest: What Happened?

    On November 6, 2025, Thai police, acting on a request from the US Federal Bureau of Investigation (FBI), arrested a 35-year-old Russian national named Denis Obrezko. He was taken into custody in Phuket, having entered the country a week earlier. Authorities seized laptops and phones, which will now undergo forensic analysis to uncover further details about the group’s operations.

    Who is the Threat Actor?

    Obrezko is alleged to be a member of a group tracked by Microsoft as “Void Blizzard” and by Dutch Intelligence as “Laundry Bear.” This is a new threat actor, first publicly identified in May 2025. They are distinct from older, more well-known Russian groups.

    • Primary Goal: Espionage. They are focused on gathering intelligence from organizations involved in supporting Ukraine.
    • Main Targets: NATO member states, European defense contractors, and non-governmental organizations (NGOs).

    How Do They Operate? (TTPs)

    Their tactics are a mix of clever social engineering and “living off the land” to avoid detection.

    • Initial Access: They primarily use phishing campaigns. This includes sending emails with malicious QR codes in PDF attachments that redirect victims to fake login pages. They also purchase stolen credentials and session cookies from criminal marketplaces on the dark web.
    • Lateral Movement: Once inside a network, they don’t always deploy custom malware. Instead, they “live off the land,” using legitimate administrative tools already present on the system to move around and gain access to more sensitive areas.
    • Data Theft: Their main objective is to steal data from cloud services like Microsoft 365 and Exchange. They use automated scripts to bulk-collect emails and files.

    Indicators of Compromise (IoCs)

    Defenders should be on the lookout for the following:

    • Typosquatted Domains: The group registers domains that look very similar to legitimate ones to trick users. An example observed in their campaigns is micsrosoftonline.com.
    • Malicious QR Codes: Be wary of unsolicited emails containing PDF attachments with QR codes, especially those prompting you to log in to a service.

    This arrest is a major success in the ongoing digital battle. By catching a suspected member of a newly identified and active group, authorities have likely disrupted a significant source of intelligence for Russia.

    Previous Post
    Next Post
      Recent Posts

      Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.

      Follow us
      Linkedin X-twitter
      Categories
      Our Partners

      Copyright © 2025 Joe Shenouda | Threat Intelligence |

      Linkedin X-twitter