Winter Vivern  (Back to overview)

aka: TA-473, TA473, TAG-70, UAC-0114

Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.

Associated Families

2024-02-17Recorded FutureInsikt Group
Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign
Unidentified JS 006 (Winter Wyvern)
2023-10-25ESET ResearchMatthieu Faou
Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
Unidentified JS 006 (Winter Wyvern) Winter Vivern
2023-03-30ProofpointMichael Raggi, Proofpoint Threat Insight Team
Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
Winter Vivern
2023-03-16SentinelOneTom Hegel
Winter Vivern | Uncovering a Wave of Global Espionage
APERETIF Winter Vivern
2023-02-03SOC PrimeVeronika Telychko
UAC-0114 Group aka Winter Vivern Attack Detection: Hackers Launch Phishing Campaigns Targeting Government Entities of Ukraine and Poland
Winter Vivern
2021-04-27DomainToolsChad Anderson
Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages
Winter Vivern

Credits: MISP Project