Threat Actor Profile
High APT
Description

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET WinterVivern 2023)(Citation: Proofpoint WinterVivern 2023)

Confidence Score
90%
Known Aliases
Winter Vivern TA473 UAC-0114
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (27)
T1056.003 - Web Portal Capture
Collection
T1113 - Screen Capture
Collection
T1114.001 - Local Email Collection
Collection
T1119 - Automated Collection
Collection
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1036 - Masquerading
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1033 - System Owner/User Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059 - Command and Scripting Interpreter
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.007 - JavaScript
Execution
T1204.001 - Malicious Link
Execution
T1020 - Automated Exfiltration
Exfiltration
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1189 - Drive-by Compromise
Initial Access
T1190 - Exploit Public-Facing Application
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1595.002 - Vulnerability Scanning
Reconnaissance
T1583.001 - Domains
Resource Development
T1583.003 - Virtual Private Server
Resource Development
T1584.006 - Web Services
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Winter Vivern', 'TA473', 'UAC-0114'],
 'created': '2024-07-29T22:23:03.779Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Winter Vivern is a group linked to Russian and Belorussian '
                'interests active since at least 2020 targeting various '
                'European government and NGO entities, along with sporadic '
                'targeting of Indian and US victims. The group leverages a '
                'combination of document-based phishing activity and '
                'server-side exploitation for initial access, leveraging '
                'adversary-controlled and -created infrastructure for '
                'follow-on command and control.(Citation: DomainTools '
                'WinterVivern 2021)(Citation: SentinelOne WinterVivern '
                '2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET '
                'WinterVivern 2023)(Citation: Proofpoint WinterVivern 2023)',
 'external_references': [{'external_id': 'G1035',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1035'},
                         {'description': '(Citation: CERT-UA WinterVivern '
                                         '2023)',
                          'source_name': 'UAC-0114'},
                         {'description': '(Citation: Proofpoint WinterVivern '
                                         '2023)',
                          'source_name': 'TA473'},
                         {'description': 'CERT-UA. (2023, February 1). '
                                         'UAC-0114 aka Winter Vivern to target '
                                         'Ukrainian and Polish GOV entities '
                                         '(CERT-UA#5909). Retrieved July 29, '
                                         '2024.',
                          'source_name': 'CERT-UA WinterVivern 2023',
                          'url': 'https://cert.gov.ua/article/3761104'},
                         {'description': 'Chad Anderson. (2021, April 27). '
                                         'Winter Vivern: A Look At Re-Crafted '
                                         'Government MalDocs Targeting '
                                         'Multiple Languages. Retrieved July '
                                         '29, 2024.',
                          'source_name': 'DomainTools WinterVivern 2021',
                          'url': 'https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/'},
                         {'description': 'Matthieu Faou. (2023, October 25). '
                                         'Winter Vivern exploits zero-day '
                                         'vulnerability in Roundcube Webmail '
                                         'servers. Retrieved July 29, 2024.',
                          'source_name': 'ESET WinterVivern 2023',
                          'url': 'https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/'},
                         {'description': 'Michael Raggi & The Proofpoint '
                                         'Threat Research Team. (2023, March '
                                         '30). Exploitation is a Dish Best '
                                         'Served Cold: Winter Vivern Uses '
                                         'Known Zimbra Vulnerability to Target '
                                         'Webmail Portals of NATO-Aligned '
                                         'Governments in Europe. Retrieved '
                                         'July 29, 2024.',
                          'source_name': 'Proofpoint WinterVivern 2023',
                          'url': 'https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability'},
                         {'description': 'Tom Hegel. (2023, March 16). Winter '
                                         'Vivern | Uncovering a Wave of Global '
                                         'Espionage. Retrieved July 29, 2024.',
                          'source_name': 'SentinelOne WinterVivern 2023',
                          'url': 'https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/'}],
 'id': 'intrusion-set--75a07184-a7e5-4222-95a1-a04dbc96a29c',
 'modified': '2024-10-10T14:33:40.986Z',
 'name': 'Winter Vivern',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Onur Atali'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (27)
Web Portal Capture
Collection
Screen Capture
Collection
Local Email Collection
Collection
Automated Collection
Collection
Web Protocols
Command and Control
View All 27 TTPs
Back to Threat Actors
Dashboard Home