{
	"id": "b6aadac9-ecf4-4df9-8afd-36fdcb2d7ddc",
	"created_at": "2026-04-06T00:11:30.435146Z",
	"updated_at": "2026-04-10T03:30:21.355369Z",
	"deleted_at": null,
	"sha1_hash": "74583be37a759b0554a52e187ec43578636324b8",
	"title": "Winter Vivern Uses Zimbra Vulnerability to Target NATO Email | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4182401,
	"plain_text": "Winter Vivern Uses Zimbra Vulnerability to Target NATO Email |\r\nProofpoint US\r\nBy March 30, 2023 Michael Raggi and the Proofpoint Threat Research Team\r\nPublished: 2023-03-29 · Archived: 2026-04-05 13:01:25 UTC\r\nKey Takeaways\r\nProofpoint has observed recent espionage-related activity by TA473, including yet to be reported instances\r\nof TA473 targeting US elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that\r\naligns with public reporting on Winter Vivern.\r\nTA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in\r\npublicly facing webmail portals that allows them to gain access to the email mailboxes of government\r\nentities in Europe.\r\nTA473 recons and reverse engineers bespoke JavaScript payloads designed for each government targets’\r\nwebmail portal.\r\nProofpoint concurs with Sentinel One analysis that TA473 targeting superficially aligns with the support of\r\nRussian and/or Belarussian geopolitical goals as they pertain to the Russia-Ukraine War.\r\nOverview\r\nResearchers have observed TA473, a newly minted advanced persistent threat (APT) actor tracked by Proofpoint,\r\nexploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The\r\ngoal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic\r\norganizations across Europe involved in the Russia Ukrainian War. The group utilizes scanning tools like Acunetix\r\nto identify unpatched webmail portals belonging to these organizations to identify viable methods for targeting\r\nvictims. Following initial scanning reconnaissance, the threat actors deliver phishing emails purporting to be\r\nrelevant benign government resources, which are hyperlinked in the body of the email with malicious URLs that\r\nabuse known vulnerability to execute JavaScript payloads within victim’s webmail portals. Further, the threat\r\nactors appear to invest significant time studying each webmail portal instance belonging to their targets as well as\r\nwriting bespoke JavaScript payloads to conduct Cross Site Request Forgery. These labor-intensive customized\r\npayloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies\r\nfacilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations.\r\nProofpoint researchers recently promoted TA473 to a publicly tracked threat actor. Known in open-source research\r\nas Winter Vivern, Proofpoint has tracked this activity cluster since at least 2021.\r\nWho is TA473?\r\nTA473 is publicly referred to as Winter Vivern and UAC-0114 by security vendors like DomainTools, Lab52,\r\nSentinel One, and the Ukrainian CERT. This threat actor has historically leveraged phishing campaigns to deliver\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 1 of 10\n\nboth PowerShell and JavaScript payloads, as well as conducts recurring credential harvesting campaigns using\r\nphishing emails. Proofpoint since 2021 has observed a concerted focus on European government, military, and\r\ndiplomatic entities in active phishing campaigns. However, in late 2022, Proofpoint researchers also observed\r\nphishing campaigns that targeted elected officials and staffers in the United States. Since the onset of the Russia-Ukraine War, researchers have observed a commonality among observed targets, social engineering lures, and\r\nimpersonated individuals. Often targeted individuals are experts in facets of European politics or economy as it\r\npertains to regions impacted by the ongoing conflict. Social engineering lures and impersonated organizations\r\noften pertain to Ukraine in the context of armed conflict.\r\nWhat Does a TA473 Phishing Campaign Look Like?\r\nProofpoint has observed an evolution of TA473 phishing campaigns since 2021. This threat actor has been\r\nobserved employing opportunistic exploits to target its victims which include popular 1-day vulnerabilities like the\r\nCVE-2022-30190 (“Follina”) exploit disclosed in May 2022. However, most commonly this threat actor leverages\r\na recurring set of phishing techniques in every email campaign. The phishing tactics below have consistently been\r\nobserved across both US and European targets as well as among credential harvesting, malware delivery, and\r\ncross-site request forgery (CSRF) campaigns.\r\n1. TA473 sends emails from compromised email addresses. Often these emails originate from WordPress\r\nhosted domains that may be unpatched or unsecure at the time of compromise.\r\n2. TA473 spoofs the from field of the email to appear as a user at the targeted organization OR TA473 spoofs\r\nthe from field of the email to appear as a relevant peer organization involved in global politics.\r\n3. TA473 includes a benign URL from either the targeted organization or a relevant peer organization in the\r\nbody of the email.\r\n4. TA473 then hyperlinks this benign recognized URL with actor-controlled or compromised infrastructure to\r\ndeliver a first-stage payload or to redirect to a credential harvesting landing page.\r\n5. TA473 often uses structured URI paths that indicate a hashed value for the targeted individual, an\r\nunencoded indication of the targeted organization, and in some cases encoded or plaintext versions of the\r\nbenign URL that was hyperlinked in the initial email to targets.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 2 of 10\n\nFigure 1. TA473 email including hyperlinked URL redirecting to a malicious actor-controlled resource.\r\nExploitation of Disclosed Zimbra Vulnerability to Target Public Facing Webmail Portals\r\nBeginning in early 2023, Proofpoint observed a trend of TA473 phishing campaigns targeting European\r\ngovernment entities that take advantage of CVE-2022-27926. This vulnerability impacts Zimbra Collaboration\r\n(previously “the Zimbra Collaboration Suite”) versions 9.0.0, which is used to host publicly facing webmail\r\nportals. The vulnerability is described as a “reflected cross-site scripting (XSS) vulnerability in the\r\n/public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 (which) allows unauthenticated\r\nattackers to execute arbitrary web script or HTML via request parameters.”\r\nIn practice, TA473 is hyperlinking a benign URL in the body of a phishing email with a URL that leverages CVE-2022-27926. The malicious URL uses the webmail domain that has a vulnerable Zimbra Collaboration Suite\r\ninstance and appends an arbitrary hexadecimal encoded or plaintext JavaScript snippet, which is executed as an\r\nerror parameter when it is received in the initial web request. The JavaScript, once decoded, results in the\r\ndownload of a next stage bespoke JavaScript payload that conducts CSRF to capture usernames, passwords, and\r\nCSRF tokens from the user.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 3 of 10\n\nFigure 2. TA473 CSRF infection diagram.\r\nResearchers note that the exploitation of this vulnerability is very similar in practice to the exploitation of CVE-2021-35207, which impacts a wider cross section of Zimbra Collaboration versions, and specifically involves\r\nadding executable JavaScript to the loginErrorCode parameter of a webmail login URL. However, it is believed\r\nthat this exploitation is distinct and limited to CVE-2022-27926. The following variations of TA473 leveraging\r\nCVE-2022-27926 have been observed:\r\n1.     URL with Hexadecimal Encoded JavaScript Values\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 4 of 10\n\nFigure 3. CyberChef decoded hexadecimal JavaScript.\r\n2.     URL with PlainText JavaScript Values\r\nCustomized Cross-Site Request Forgery\r\nProofpoint researchers have identified several instances of what appear to be customized CSRF JavaScript\r\npayloads with delivery achieved through both the above-mentioned CVE-2022-27926 exploitation and earlier\r\ndelivery mechanisms, such as TA473-controlled infrastructure delivery stemming from the hyperlink of benign\r\nURLs in the body of the phishing email. These CSRF JavaScript code blocks are executed by the server that host a\r\nvulnerable webmail instance. Further, this JavaScript replicates and relies on emulating the JavaScript of the\r\nnative webmail portal to return key web request details that indicate the username, password, and CSRF token of\r\ntargets. In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens\r\nas well. This detailed focus on which webmail portal is being run by targeted European government entities\r\nindicates the level of reconnaissance that TA473 conducts prior to delivering phishing emails to organizations.\r\nThese next-stage TA473 CSRF JavaScript payloads also utilize several layers of Base64 encoding to obfuscate the\r\nfunctionality of the JavaScript. The actor inserts three nested instances of Base64 encoded JavaScript to\r\ncomplicate analysis of these delivered payloads. However, decoding the script is trivial to reveal the intended\r\nmalicious functionality.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 5 of 10\n\nFigure 4. Base64 encoded CSRF JavaScript payload (excerpted for length).\r\nEach identified malicious JavaScript payload heavily incorporates the legitimate JavaScript that executes in a\r\nnative webmail portal. To not identify the specific European governmental organizations impacted by these\r\ncampaigns, Proofpoint researchers have focused on the high-level functionality of the scripts, and specifically the\r\nportions inserted by TA473 to achieve cross-site request forgery. Researchers observed a malicious JavaScript\r\ndelivered in February 2023 with the following capabilities:\r\n1. Steal usernames\r\n2. Steal user's password\r\n3. Steal an active CSRF token from a cookie in the web request response\r\n4. Caches the stolen values to the actor-controlled server\r\n5. Attempts login to the legitimate mail portal with active tokens\r\n6. The script utilizes the additional URLs in its functionality:\r\n1. Displays Pop3 and IMAP instructions hosted on actor-controlled server\r\n2. Attempts logins to legitimate webmail portal via the native URL\r\nAn extended sequence of the observed script’s actions is as follows:\r\n1. Establishes the malicious server domain for the cache of stolen user values\r\n2. References a targeted account name\r\n3. Gets date and time\r\n4. Gets account name variables\r\n5. Sets time out window at 1000s\r\n6. Function to send credentials \"on click\"\r\n1. Sends username and password in URI encoded fashion \r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 6 of 10\n\n2. If password fails with a length of 0 (AKA no password), the script prompts user with: \"The\r\nusername or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current\r\nusername and password.\"; return;\"\r\n3. The script then logs the username, the password, and the CSRF token from the web request\r\nresponse.\r\n7. The JavaScript again attempts to identify an unsuccessful login, displays an actor-populated error message\r\nand posts the logged CSRF token to the legitimate web mail server (login attempt)\r\n1. If that attempt fails, the script again attempts to post to the targeted server and fetch an\r\nElementbyID \"lic34yo8o\" and remove this element tagged \"body\" in the response\r\n2. It then again attempts to save the “accountname” variable, username variable, and password\r\nvariable.\r\n8. The script attempts to login to the legitimate webmail portal using custom hardcoded URI structures that\r\nappear to be unique to the targeted domain and appends a username, password, and CSRF token to the URI\r\nstructures which were previously captured.\r\n9. The script also has a function to login with stolen credential and token content.\r\n10. The script has a function to show Zimbra Pop3 and IMAP login information page hosted on actor-controlled infrastructure.\r\n11. The script has a function to show the legitimate webmail portal login window.\r\n12. The script has a function to \"initLoginField\" which appears to input the username and account name to the\r\nlegitimate webmail login window.\r\n13. The script has a function to logoff of the mail server and attempt to retrieve the CSRF token at logout,\r\nwhich is then sent to an actor-controlled server.\r\n14. The script has a function to retrieve the CSRF token.\r\n15. The script has a function to get the CSRF token from string utilizing the DOMParser function that parses\r\nthe element from the JavaScript request response document.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 7 of 10\n\nFigure 5. CSRF JavaScript snippet detailing methods of stealing CSRF token.\r\nAdvanced Capabilities May be Ideal, but When in Doubt, Persistence is Key\r\nTA473’s persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting\r\npublicly facing webmail portals is a key factor in this actor’s success. The group’s focus on sustained\r\nreconnaissance and painstaking study of publicly exposed webmail portals to reverse engineer JavaScript capable\r\nof stealing usernames, passwords, and CSRF tokens demonstrates its investment in compromising specific targets,\r\nin this case the European government sector. Rather than developing a one size fits all tools and payloads\r\napproach, TA473 invests time and resources to compromise specific entities with each JavaScript payload being\r\ncustom for the targeted webmail portal.\r\nProofpoint researchers strongly recommend patching all versions of Zimbra Collaboration used in publicly facing\r\nwebmail portals, especially among European government entities. Additionally, restricting resources on publicly\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 8 of 10\n\nfacing webmail portals from the public internet is highly recommended to prevent groups like TA473 from\r\nreconning and engineering custom scripts capable of stealing credentials and logging in to users’ webmail\r\naccounts. While TA473 does not lead the pack in sophistication among APT threats targeting the European cyber\r\nlandscape, they demonstrate focus, persistence, and a repeatable process for compromising geopolitically exposed\r\ntargets. Like a Vivern in medieval winter, despite having only two legs and a pair of wings, this is likely a threat\r\nthat will persist year-round.\r\nIndicators of Compromise (IOCs)  \r\nIOC\r\nType of\r\nIOC\r\nDescription\r\nhxxps://oscp-avanguard[.]com/asn15180YHASIFHOP_\u003credacted\u003e_ASNfas21/auth.js\r\nhxxps://oscp-avanguard[.]com/settingPopImap/SettingupPOPandIMAPaccounts.html\r\nhxxps://troadsecow[.]com/cbzc.policja.gov.pl\r\nhxxps://bugiplaysec[.]com/mgu/auth.js\r\nhxxps://nepalihemp[.]com/assets/img/images/623930va\r\nhxxps://ocs-romastassec[.]com/redirect/?id=[target specific ID]\u0026url=[Base64\r\nEncoded Hyperlink URL hochuzhit-com.translate.goog/?\r\n_x_tr_sl=auto\u0026_x_tr_tl=en\u0026_x_tr_hl=en-US\u0026x_tr_pto=wapp]\r\nhxxps://ocspdep[.]com/inotes.sejm.gov.pl?id=[Target Specific SHA256 Hash]\r\nURLs\r\nObserved\r\npayload\r\ndelivery\r\nURLs\r\nocspdep[.]com\r\nbugiplaysec[.]com\r\noscp-avanguard[.]com\r\ntroadsecow[.]com\r\nnepalihemp[.]com\r\nDomain C2 Domains\r\nET Signatures\r\n2034117 – ET TROJAN Wintervivern Activity M5 (GET)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 9 of 10\n\n2034116 – ET TROJAN Wintervivern Activity M4 (GET)\r\n2034115 – ET TROJAN Wintervivern Retrieving Commands\r\n2034109 – ET TROJAN Wintervivern Activity (GET) M3\r\n2034108 – ET TROJAN Wintervivern Checkin\r\n2034107 – ET TROJAN Wintervivern Retrieving Task\r\n2034106 – ET TROJAN Wintervivern Activity M2 (GET)\r\n2034105 – ET TROJAN Wintervivern Activity (GET)\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nhttps://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\r\nPage 10 of 10\n\nas Winter Vivern, Who is TA473? Proofpoint has tracked this activity cluster since at least 2021.  \nTA473 is publicly referred to as Winter Vivern and UAC-0114 by security vendors like DomainTools, Lab52,\nSentinel One, and the Ukrainian CERT. This threat actor has historically leveraged phishing campaigns to deliver\n   Page 1 of 10   \n\n https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability  \n2034116-ET TROJAN Wintervivern Activity M4 (GET)\n2034115-ET TROJAN Wintervivern Retrieving Commands\n2034109-ET TROJAN Wintervivern Activity (GET) M3\n2034108-ET TROJAN Wintervivern Checkin \n2034107-ET TROJAN Wintervivern Retrieving Task\u0002\n2034106-ET TROJAN Wintervivern Activity M2 (GET)\n2034105-ET TROJAN Wintervivern Activity (GET)\nSource: https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability   \n   Page 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability"
	],
	"report_names": [
		"exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability"
	],
	"threat_actors": [
		{
			"id": "23226bab-4c84-4c65-a8d1-7ac10c44b172",
			"created_at": "2023-04-27T02:04:45.463683Z",
			"updated_at": "2026-04-10T02:00:04.980143Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA473",
				"TAG-70",
				"UAC-0114",
				"UNC4907"
			],
			"source_name": "ETDA:Winter Vivern",
			"tools": [
				"APERETIF"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925",
			"created_at": "2023-11-04T02:00:07.660461Z",
			"updated_at": "2026-04-10T02:00:03.385093Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA-473",
				"UAC-0114",
				"TA473",
				"TAG-70"
			],
			"source_name": "MISPGALAXY:Winter Vivern",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a20598c1-894c-4173-be6e-64a1ce9732bd",
			"created_at": "2024-11-01T02:00:52.652891Z",
			"updated_at": "2026-04-10T02:00:05.375678Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"Winter Vivern",
				"TA473",
				"UAC-0114"
			],
			"source_name": "MITRE:Winter Vivern",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434290,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/74583be37a759b0554a52e187ec43578636324b8.pdf",
		"text": "https://archive.orkl.eu/74583be37a759b0554a52e187ec43578636324b8.txt",
		"img": "https://archive.orkl.eu/74583be37a759b0554a52e187ec43578636324b8.jpg"
	}
}