{ "id": "b9f902d8-7a3b-4151-9e3b-cdbd32e9676a", "created_at": "2026-04-06T00:07:41.86708Z", "updated_at": "2026-04-10T13:12:45.593814Z", "deleted_at": null, "sha1_hash": "e79798c3e2ae36157592b4ddf8b5741a660e7896", "title": "Winter Vivern - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57376, "plain_text": "Winter Vivern - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:48:10 UTC\r\nHome \u003e List all groups \u003e Winter Vivern\r\n APT group: Winter Vivern\r\nNames\r\nWinter Vivern (SentinelLabs)\r\nUAC-0114 (CERT-UA)\r\nTA473 (Proofpoint)\r\nUNC4907 (Mandiant)\r\nTAG-70 (Recorded Future)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription\r\n(SentinelLabs) The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy\r\nyet relatively underreported group that operates with pro-Russian objectives.\r\nDomainTools initially publicized the group in early 2021, naming it based on an\r\ninitial command-and-control beacon URL string “wintervivern,” which is no longer\r\nin use. Subsequently, Lab52 shared additional analysis several months later,\r\nidentifying new activity associated with Winter Vivern.\r\nThe group has avoided public disclosure since then, until recent attacks targeting\r\nUkraine. A part of a Winter Vivern campaign was reported in recent weeks by the\r\nPolish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA\r\nand the CBZC collaborated on the release of private technical details which assisted\r\nin our research to identify a wider set of activity on the threat actor, in addition to\r\nnew victims and previously unknown specific technical details. Overall, we find that\r\nthe Winter Vivern APT is a resource-limited but highly creative group that shows\r\nrestraint in the scope of their attacks. Our analysis indicates that Winter Vivern\r\nactivity aligns closely with global objectives that support the interests of Belarus and\r\nRussia’s governments.\r\nAlso see MoustachedBouncer.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b427e8e-151d-4f6e-9b4f-89cbb92e82bd\r\nPage 1 of 2\n\nObserved\nSectors: Defense, Government.\nCountries: Georgia, India, Lithuania, Moldova, Poland, Slovakia, Tunisia, Ukraine,\nUSA, Uzbekistan and Europe.\nTools used APERETIF.\nOperations performed\nEarly 2023\nExploitation is a Dish Best Served Cold: Winter Vivern Uses Known\nZimbra Vulnerability to Target Webmail Portals of NATO-Aligned\nGovernments in Europe\nJul 2023\nZimbra 0-day used to target international government organizations\nOct 2023\nWinter Vivern exploits zero-day vulnerability in Roundcube\nWebmail servers\nOct 2023\nRussia-Aligned TAG-70 Targets European Government and Military\nMail Servers in New Espionage Campaign\nInformation\nLast change to this card: 07 March 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b427e8e-151d-4f6e-9b4f-89cbb92e82bd\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b427e8e-151d-4f6e-9b4f-89cbb92e82bd\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b427e8e-151d-4f6e-9b4f-89cbb92e82bd" ], "report_names": [ "showcard.cgi?u=7b427e8e-151d-4f6e-9b4f-89cbb92e82bd" ], "threat_actors": [ { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "821cb2ce-472c-438f-943d-19cf23204d9a", "created_at": "2023-11-01T02:01:06.683709Z", "updated_at": "2026-04-10T02:00:05.39433Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [ "MoustachedBouncer" ], "source_name": "MITRE:MoustachedBouncer", "tools": [ "SharpDisco" ], "source_id": "MITRE", "reports": null }, { "id": "7d9d90f3-001e-4adc-8a77-8f93b5d02b01", "created_at": "2023-09-07T02:02:47.575324Z", "updated_at": "2026-04-10T02:00:04.770856Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "ETDA:MoustachedBouncer", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0e74afe0-92c3-4fca-93a4-d8e51180e105", "created_at": "2023-08-11T02:00:11.229735Z", "updated_at": "2026-04-10T02:00:03.37095Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "MISPGALAXY:MoustachedBouncer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434061, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e79798c3e2ae36157592b4ddf8b5741a660e7896.pdf", "text": "https://archive.orkl.eu/e79798c3e2ae36157592b4ddf8b5741a660e7896.txt", "img": "https://archive.orkl.eu/e79798c3e2ae36157592b4ddf8b5741a660e7896.jpg" } }