G1035 · 27 ATT&CK techniques · 0 correlated reports

Winter Vivern

Aliases: TA473, UAC-0114

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.

Open interactive actor investigation

ATT&CK techniques

T1059
Command and Scripting InterpreterT1071.001
Web ProtocolsT1056.003
Web Portal CaptureT1033
System Owner/User DiscoveryT1583.003
Virtual Private ServerT1059.007
JavaScriptT1566.001
Spearphishing AttachmentT1036.004
Masquerade Task or ServiceT1113
Screen CaptureT1189
Drive-by CompromiseT1119
Automated CollectionT1140
Deobfuscate/Decode Files or InformationT1020
Automated ExfiltrationT1105
Ingress Tool TransferT1190
Exploit Public-Facing ApplicationT1595.002
Vulnerability ScanningT1041
Exfiltration Over C2 ChannelT1053.005
Scheduled TaskT1584.006
Web ServicesT1036
MasqueradingT1583.001
DomainsT1082
System Information DiscoveryT1059.003
Windows Command ShellT1204.001
Malicious LinkT1083
File and Directory DiscoveryT1114.001
Local Email CollectionT1059.001
PowerShell

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research