{ "id": "b91f3cb0-d4d0-4117-a504-bcddbb3e5b4c", "created_at": "2026-04-06T00:22:06.98764Z", "updated_at": "2026-04-10T03:30:30.477757Z", "deleted_at": null, "sha1_hash": "11bbeb4a8ba3ca8ff6f0a6d58147db1b8b233908", "title": "UAC-0114 Group aka Winter Vivern Attack Detection: Hackers Launch Phishing Campaigns Targeting Government Entities of Ukraine and Poland", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 247216, "plain_text": "UAC-0114 Group aka Winter Vivern Attack Detection: Hackers\r\nLaunch Phishing Campaigns Targeting Government Entities of\r\nUkraine and Poland\r\nBy Veronika Zahorulko\r\nPublished: 2023-02-03 · Archived: 2026-04-02 12:03:27 UTC\r\nSince the outbreak of the global cyber war, state bodies of Ukraine and its allies have become targets of diverse\r\nmalicious campaigns launched by multiple hacking collectives. Threat actors frequently leverage phishing attack\r\nvectors to perform their adversary campaigns, like in December 2022’s cyber attacks distributing DolphinCape\r\nand FateGrab/StealDeal malware.\r\nOn February 1, 2023, CERT-UA cybersecurity researchers issued a novel CERT-UA#5909 alert, in which they\r\ndrew the defenders’ attention to a fake webpage prompting targeted users to download software disguised as virus-scanning utilities. Hackers apply this fraudulent web page, which impersonates an official web resource of the\r\nMinistry of Foreign Affairs of Ukraine, as a lure to spread malware on the compromised systems. The hacking\r\ncollective behind these attacks might include russia-linked cybercriminals. \r\nUAC-0114/Winter Vivern Activity: Analysis of the Latest Campaign Targeting\r\nState Bodies\r\nHard on the heels of yet another malicious campaign by the notorious russia-backed Sandworm APT group (aka\r\nUAC-0082), Ukrainian state bodies are again under phishing attacks along with the government organizations of\r\nthe Republic of Poland. \r\nThe latest CERT-UA#5909 alert details the ongoing malicious campaign targeting Ukrainian and Polish\r\ngovernment organizations. In this cyber attack, hackers take advantage of a fake web page masquerading as the\r\nofficial web resource of the Ukrainian state bodies to lure victims into downloading malicious software. \r\nThe infection chain starts by following a lure link to the fake virus-scanning software, which results in\r\ndownloading the malicious “Protector.bat” file. The latter launches a set of PowerShell scripts, one of which\r\napplies a recursive search algorithm to browse the desktop catalog for files with specific extensions, including\r\n.edb, .ems, .eme, .emz, .key, etc. The latter script is also capable of screen capturing and further data exfiltration\r\nvia HTTP. Adversaries also leverage a set of malware persistence techniques using scheduled tasks, which poses a\r\nchallenge to attack detection.\r\nCooperation with CERT Polska and CSIRT MON enabled cyber defenders to uncover similar phishing web\r\nresources impersonating official web pages of Ukrainian and Polish government entities, including the Ministry of\r\nForeign Affairs of Ukraine, The Security Service of Ukraine (SBU), and the Polish Police. Notably, in June 2022,\r\na similar phishing web page masqueraded as the UI of the mail service of the Ministry of Defence of Ukraine.\r\nhttps://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/\r\nPage 1 of 3\n\nThe malicious activity is being tracked as UAC-0114, attributed to the Winter Vivern hacking collective. The\r\nadversary TTPs leveraged in these phishing campaigns are quite common, including the use of PowerShell scripts\r\nand the email subject lure related to malware scanning. It is also highly likely that the above-mentioned hacking\r\ngroup involves russian-speaking members since one of the applied malware, APERETIF software, includes a code\r\nline typical of russia-affiliated adversary behavior patterns.\r\nDetecting the Malicious activity of UAC-0114 Covered in the CERT-UA#5909 Alert\r\nSOC Prime stays on the frontline helping Ukraine and its allies proactively defend against russia-affiliated\r\nmalicious activity. SOC Prime’s Detection as Code platform curates a batch of Sigma rules to help teams timely\r\nidentify the presence of malware related to the recent phishing campaign by the UAC-0114 group covered in the\r\ndedicated CERT-UA#5909 alert. All detections are aligned with the MITRE ATT\u0026CK® framework v12 and are\r\ncompatible with the industry-leading SIEM, EDR, and XDR technologies. \r\nClick the Explore Detections button for access to a comprehensive list of Sigma rules to detect TTPs typical of\r\nthe UAC-0114 group, which is behind phishing attacks against Ukraine and Poland. For streamlined content\r\nsearch, all detection algorithms are filtered by the corresponding custom tags “CERT-UA#5909” and “UAC-0114”\r\nbased on the CERT-UA alert and group identifiers. Also, security engineers can drill down to relevant cyber threat\r\ncontext, including ATT\u0026CK and CTI references, mitigations, and operational metadata, to facilitate their threat\r\nresearch.\r\nExplore Detections\r\nTo make the most of IOC-based threat hunting and shave seconds off ad-hoc manual tasks, security engineers can\r\ninstantly generate IOC queries associated with the ongoing attacks by UAC-0114 threat actors via Uncoder CTI.\r\nPaste file, host, or network IOCs from the relevant CERT-UA#5909 alert, build custom IOC queries on the fly,\r\nand you’re all set to search for related threats in your selected SIEM or XDR environment. \r\nMITRE ATT\u0026CK Context\r\nhttps://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/\r\nPage 2 of 3\n\nFor in-depth context behind the latest phishing campaign by the UAC-0114 aka Winter Vivern group, all dedicated\r\nSigma rules are mapped to ATT\u0026CK addressing relevant  tactics and techniques:\r\nSource: https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting\r\n-government-entities-of-ukraine-and-poland/\r\nhttps://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/" ], "report_names": [ "uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland" ], "threat_actors": [ { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434926, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11bbeb4a8ba3ca8ff6f0a6d58147db1b8b233908.pdf", "text": "https://archive.orkl.eu/11bbeb4a8ba3ca8ff6f0a6d58147db1b8b233908.txt", "img": "https://archive.orkl.eu/11bbeb4a8ba3ca8ff6f0a6d58147db1b8b233908.jpg" } }