{
	"id": "b2bd9408-55a9-4b20-97e2-c2bf14471748",
	"created_at": "2026-04-06T01:28:52.820625Z",
	"updated_at": "2026-04-10T13:12:53.057223Z",
	"deleted_at": null,
	"sha1_hash": "f49eb01c824720de627ae5390b11cb49bd24d9d9",
	"title": "CERT-UA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2007057,
	"plain_text": "CERT-UA\r\nArchived: 2026-04-06 00:24:22 UTC\r\nBackground\r\nThe Computer Emergency Response Team of Ukraine (CERT-UA) detected a web page which mimics the website\r\nof the Ministry of Foreign Affairs of Ukraine and lures a user to download software for \"scanning infected PCs on\r\nviruses\".\r\nIf a user follows the link, the BAT file \"Protector.bat\" will be served onto the victim's PC. Leveraging\r\npowershell.exe BAT-file would download and execute several PowerShell scripts, one of which would recursively\r\nscan the Desktop folder for files with the following extensions: .edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer,\r\n.p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, .rdg, aft, as well as take screenshots and exfiltrate data using\r\nHTTP. Also, Scheduled Tasks would be created for persistence purposes.\r\nIn cooperation with CERT Polska and CSIRT MON (Republic of Poland), we detected several more phishing\r\nwebsites to mimic web pages of the Security Service of Ukraine and the Polish Police. In addition, it should be\r\nnoted that a similar fraudulent web page was spotted impersonating the mail portal of the Ministry of Defense of\r\nUkraine back in June 2022.\r\nWe track mentioned activity under UAC-0114, aka Winter Vivern. The group uses typical TTPs (e.g., the theme of\r\n\"scanning software\" and known PowerShell scripts). It's highly likely that russian speaking actors are among the\r\ngroup's members because one of the previous samples (MD5: 3acfb7c694b259158fe042fd3392b0d1) contains\r\nPDB \"C:\\Users\\user_1\\source\\repos\\Aperitivchick\\Release\\SystemProtector.pdb\" with purely russian wording\r\n\"Aperitivchick\".\r\nIndicators of compromise\r\nFiles:\r\n93beb3454664314826a843ae28befe96  b10bc0bb30b3c1d0c404d3a902ccebc425f23cb5a66c02104739f226c77b5816\r\n42b6b2533135574ac8a2027df465b295  05457a790782542d3f16c9b8368a077b458ff7349856e6da541223a51e94b9c8\r\n4d6eac0b0dd1adc47d81b163d03e5f4b  91e9325dd4972c0d40becfff6e65399c46aeb210a3b9a1f75d453cc8fe87d09c\r\na03cb9a28fa5ce72354e1556731a68d4  cf919033a2a4f76a4b78499be027090a0a7980a2f536df53eebb2140478abeb7\r\n4d549fa15eadeefd30f5269a2b3995c4  521c8345351144437033b41dfb5e4878c3b3a7ade4e2d0ccdcc5699d0b4d3ac6\r\n7ffb80d87ab0fe5e2c7f7338ec22a7b0  3442724f36fcaa1822bdafc3417e6bc7488898c4acbc73f0114ffeb6a3604164\r\ned7bb4cc6dd1079efbe4bc3ceffd4250  d8236c841b07c933d4de0ef9ed854902f6aae73b83137d9ffbe29fb879aa094f\r\n9997462826c26ab82a29e1c0712bbbb5  2708b9f8a196c50c8c6d6001af5b02e3c5d113e1977a686319eae7652ecbc1d3\r\n6fe2a60e3f4c15c60128562d006696b6  72028cff34d33e26bf01e4bf63c8b977ece33b3809bd6dd075bcff343895dc4b\r\nHost-based:\r\nhttps://cert.gov.ua/article/3761104\r\nPage 1 of 3\n\n%APPDATA%\\XmlSchemaMicrosoftXsd.xml\r\n%APPDATA%\\XmlSchemaMicrosoftXsdO.xml\r\n%PUBLIC%\\MicrosoftUpdateClient\\\r\n%PUBLIC%\\MicrosoftUpdateClient\\Microsoft_update_tool_%NUM%.dat\r\npowershell.exe -c \"Start-Process -win hidden -filepath 'powershell.exe' -argumentlist \"\"`$a=whoami;\"\r\npowershell.exe -c \"Start-Process -win hidden -filepath 'powershell.exe' -argumentlist \"\"`$a=whoami;\"\r\nClient_Update_Microsofts-{ITCUNTH-9D12-4RE1-8BWD-6HFI2D4FNI1I2}\r\nNetwork-based::\r\nhXXps://bugiplaysec[.]com/ssu.gov.ua/\r\nhXXps://ocspdep[.]com/ssu.gov.ua/\r\nhXXp://troadsecow[.]com/policja.gov.pl\r\nhXXps://troadsecow[.]com/cbzc.policja.gov.pl\r\nhXXps://troadsecow[.]com/mfa.gov.ua/\r\nhXXps://troadsecow[.]com/mfa.gov.ua/downloadapp.php\r\nhXXps://troadsecow[.]com/\r\nhXXps://troadsecow[.]com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_.php\r\nhXXps://troadsecow[.]com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_1.php\r\nhXXps://bugiplaysec[.]com/fjasmngptwq214.php\r\nhXXps://troadsecow[.]com/fjasmngptwq95824s.php\r\nhXXps://troadsecow[.]com/gkaslnwqpasg/fx64g15g.xml\r\nhXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/59948e7126a2927a53af0593f85dad2f5ae5c6e0.php\r\nhXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/62d4677fcf600ac0c4933bd80dec255868827e00.php\r\nhXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/9f5fe4bab163de5eedb995beed21c75578284fa4.php\r\nhXXps://troadsecow[.]com/lg5362s5215098-xvbxzcnsaf4lmsa.php\r\nhXXps://troadsecow[.]com/lg5362s5215098-xvbxzcnsaf4lmsa.php?idu=%SID%\r\nocspdep[.]com 2021-12-01 @registrar.eu\r\ntroadsecow[.]com  2022-10-10 @ownregistrar.com\r\nbugiplaysec[.]com 2022-07-19 @realtimeregister.com\r\n176[.]97.66.57 AE @iroko.net\r\n195[.]54.170.26 NO @iroko.net\r\n45[.]136.198.141  BG @iroko.net\r\n80[.]79.119.239 GB @wavecom.ee (@3nt.com)\r\nImages\r\nhttps://cert.gov.ua/article/3761104\r\nPage 2 of 3\n\nSource: https://cert.gov.ua/article/3761104\r\nhttps://cert.gov.ua/article/3761104\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cert.gov.ua/article/3761104"
	],
	"report_names": [
		"3761104"
	],
	"threat_actors": [
		{
			"id": "23226bab-4c84-4c65-a8d1-7ac10c44b172",
			"created_at": "2023-04-27T02:04:45.463683Z",
			"updated_at": "2026-04-10T02:00:04.980143Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA473",
				"TAG-70",
				"UAC-0114",
				"UNC4907"
			],
			"source_name": "ETDA:Winter Vivern",
			"tools": [
				"APERETIF"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925",
			"created_at": "2023-11-04T02:00:07.660461Z",
			"updated_at": "2026-04-10T02:00:03.385093Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA-473",
				"UAC-0114",
				"TA473",
				"TAG-70"
			],
			"source_name": "MISPGALAXY:Winter Vivern",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a20598c1-894c-4173-be6e-64a1ce9732bd",
			"created_at": "2024-11-01T02:00:52.652891Z",
			"updated_at": "2026-04-10T02:00:05.375678Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"Winter Vivern",
				"TA473",
				"UAC-0114"
			],
			"source_name": "MITRE:Winter Vivern",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438932,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f49eb01c824720de627ae5390b11cb49bd24d9d9.pdf",
		"text": "https://archive.orkl.eu/f49eb01c824720de627ae5390b11cb49bd24d9d9.txt",
		"img": "https://archive.orkl.eu/f49eb01c824720de627ae5390b11cb49bd24d9d9.jpg"
	}
}