State-backed cyber groups
To carry out such large-scale and coordinated cyber activity in practice, the Russian regime relies, among other things, on state-backed cyber groups, which are internationally known as APTs (advanced persistent threats).
These groups can conduct complex and targeted cyber operations aimed at collecting intelligence, maintaining persistent access to compromised information systems and, where required, carrying out disruptive or destructive attacks.
They operate in the interests of Russian special services and military structures and perform intelligence-gathering and preparatory tasks both in peacetime and during a full-scale military conflict.
The activities of Russian APT groups are not limited to cyber operations against Ukraine. They also target countries that support Ukraine politically, economically or militarily. The European Union and NATO member states have remained persistent targets, with attacks aimed at collecting sensitive information and preparing the ground for potential influence or attack operations.
A new arrival: Laundry Bear
Alongside previously known and widely reported Russian APT groups such as Cozy Bear and Fancy Bear, which have targeted EU and NATO member states for years, a new and previously unknown Russian group emerged in 2025.
Within the cybersecurity community, it became known as Laundry Bear (referred to by Microsoft as Void Blizzard).
According to assessments by the Dutch intelligence and security services (AIVD and MIVD), Laundry Bear is very likely a state-sponsored Russian group whose activities since 2024 have focused primarily on cyberattacks against Western countries. Its primary targets are government authorities, defence organisations, foreign ministries, defence industry companies, and other entities in EU and NATO member states that support Ukraine.
The nature of Laundry Bear’s operations and its choice of targets point primarily to intelligence gathering rather than to disruptive or destructive cyber activity. Its main objective is to collect sensitive information, including email correspondence, contact details and other internal organisational data, enabling Russian intelligence services to gain a clearer picture of Western political, military and defence-related intentions.
From a technical perspective, Laundry Bear is not characterised by the use of novel or particularly sophisticated attack vectors. On the contrary, the group relies on relatively simple but effective methods, such as abusing stolen user credentials, password spraying, exploiting authentication cookies (session cookies), and compromising cloud-based email environments, particularly Microsoft Exchange Online.
The necessary authentication data are often obtained from third parties, using spyware-collected credentials sold on dark web marketplaces. This approach is illustrated by the 2024 attack against the Dutch police, in which Laundry Bear gained access to an employee account using a stolen login session. Through this access, the group collected work-related contact details and other information from central systems, which can be used to prepare further targeted attacks.
This case once again demonstrates that any employee can become a target in organisations of interest to an attacker, regardless of their role or level of access.
However, it should be noted that most such attacks are easily preventable by following the basic principles of cyber hygiene, including multi-factor authentication, strong password management and user awareness training.
Venomous Bear and Cozy Bear target diplomats
Diplomatic targets have been a strategic priority for Russian state-backed cyber espionage for years, and 2025 brought no change in this regard. Foreign ministries, embassies and other diplomatic missions represent high-value intelligence targets for Russia, as they provide access to early information on political positions, decision-making processes, alliance relations and discussions related to Ukraine.
In 2025, two long-established Russian APT groups stood out in this domain: APT29, also known as Cozy Bear, and Venomous Bear (also known as Turla).
APT29, which is linked to Russia’s Foreign Intelligence Service (SVR), continued targeted phishing campaigns against employees of European diplomatic institutions.
These attacks relied on credible and context-aware lures, with attackers posing as representatives of foreign ministries or similar bodies and sending apparently official email invitations or notifications, such as for diplomatic events or meetings.
The messages contained malicious links or attachments; if the target failed to exercise sufficient caution and interacted with them, attackers gained access to the victim’s work computer and email account. This enabled APT29 to monitor communications, collect documents and use the compromised account to prepare further targeted intelligence operations.
Venomous Bear, considered one of Russia’s longest-running and technically most capable APT groups and associated with the Federal Security Service (FSB), pursued a different approach in its continued operations against diplomatic targets in 2025. While APT29 primarily relied on phishing emails targeting EU diplomats abroad, Venomous Bear focused on diplomatic missions and staff based within Russia, using local communications and network infrastructure.
This allowed Venomous Bear to redirect diplomats’ web traffic to an adversary-in-the-middle setup, where users were presented with a seemingly legitimate certificate error or security warning. To resolve the issue, victims were prompted to download and install a software component, which granted attackers access to the device and the ability to monitor diplomatic communications.
APT-groups linked to Russian intelligence services
| Fancy Bear/APT28 | Cozy Bear/APT29 | Venomous Bear / Turla | Laundry Bear / Void Blizzard | |
|---|---|---|---|---|
| Targets | Government authorities, defence industry, technology and logistics companies, critical infrastructure, and NATO- and EU-related international institutions | Primarily EU and US government authorities, non-governmental organisations, the energy sector, foreign and security policy institutions, and technology and cloud service providers | Government authorities in Eastern Europe and Southeast Asia, including foreign ministries, diplomatic missions and security agencies in Europe and Eurasia, as well as international organisations and research institutions | Government authorities in NATO member states, telecommunications companies, the healthcare sector, the defence industry, and the media and transport sectors |
| Affiliation |
Russian military intelligence (GRU) 
|
Russian Foreign Intelligence Service (SVR) 
|
Russian Federal Security Service (FSB) 
|
Unknown |
| Activity | Multiple intelligence campaigns against logistics and transport companies in Western countries supporting Ukraine in recent years | Continued intelligence campaigns against European diplomatic institutions using phishing emails containing malware | Intelligence campaigns against European diplomatic foreign services in the past year | Most recently linked to a cyber espionage incident targeting the Dutch police, during which the group gained unauthorised access to internal contact details |
Steps towards autonomous malware
Rapid advances in artificial intelligence (AI) and large language models (LLMs) in recent years have created new opportunities to automate and streamline everyday work tasks, but these technologies have also been widely applied to cybercrime.
They have enabled the automation and acceleration of the preparatory stages of cyberattacks, such as crafting phishing messages, profiling targets, and tailoring attack scenarios to specific contexts and victims.
Among state-backed Russian threat actors, APT28, also known as Fancy Bear, is among the most notable users of these capabilities. This group, linked to Russian military intelligence, used its own custom malware in cyberattacks in 2025. The malware became known as LAMEHUG within the cybersecurity community.
According to several researchers, LAMEHUG represents the first publicly documented case of malware that directly uses an LLM in an attack operation. During an intrusion, LAMEHUG employs an LLM to generate specific malicious system commands and scripts, which the malware then executes on the infected system.
These commands are used, among other things, to collect system information, search for user files, and aggregate and exfiltrate the collected data to the attacker. Unlike traditional malware, LAMEHUG does not rely on static code. Instead, it can appear in different forms and variations during an operation, leaving fewer recurring patterns and making detection by traditional antivirus and signature-based solutions more difficult.
LAMEHUG is not yet fully autonomous, decision-making AI-driven malware, but it illustrates how attackers use language models to apply existing attack tactics more flexibly and efficiently. These, however, are only the first steps.
In the coming years, we are likely to see more autonomous malware capable of independently adapting its behaviour to the compromised system and deployed defences. Such developments would represent a qualitative leap in malware evolution and pose a significant challenge to existing detection and protection mechanisms.
Last updated: 11.02.2026
