← threatfilter.dev / all groups / Winter Vivern
Winter Vivern
Also known as: TA473 · UAC-0114
Overview
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.
Regions
Germany
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 27 techniques across 9 tactics
Reconnaissance
-
T1595.002Vulnerability Scanning
Resource Development
-
T1583.001Domains -
T1583.003Virtual Private Server -
T1584.006Web Services
Initial Access
-
T1189Drive-by Compromise -
T1190Exploit Public-Facing Application -
T1566.001Spearphishing Attachment
Execution
-
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.007JavaScript -
T1204.001Malicious Link
Stealth
-
T1036Masquerading -
T1036.004Masquerade Task or Service -
T1140Deobfuscate/Decode Files or Information
Discovery
Collection
-
T1056.003Web Portal Capture -
T1113Screen Capture -
T1114.001Local Email Collection -
T1119Automated Collection
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Exfiltration
-
T1020Automated Exfiltration -
T1041Exfiltration Over C2 Channel
Reporting (3)
- Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers — Matthieu Faou
- Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe — Michael Raggi & The Proofpoint Threat Research Team
- Winter Vivern | Uncovering a Wave of Global Espionage — Tom Hegel