3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Winter Vivern

Winter Vivern

ID: 4e4a8e84c070ecdcd3fddcfd2c665fb825434
Cybercrime Phishing Operator State-Sponsored
Threat types: Espionage, Phishing, Intrusion
Russia IND, POL, UKR, USA
Updated: 2026-01-26
Created: 2025-10-22
Progress: 61% Completeness: 57% Freshness: 70%
Operation zone: India, Poland, Ukraine, United States
Aliases Limited alias preview
TA473 UAC-0114
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Winter Vivern (TA473/UAC-0114) — government-focused espionage actor active since at least 2020 that blends spearphishing/maldocs with server-side exploitation of Roundcube and Zimbra webmail platforms, followed by scripted collection and HTTP(S) exfiltration.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2021–2023 — Proofpoint describes recurring spearphishing attachments and lures used by TA473/Winter Vivern. · ref
  • 2021-04-27 — DomainTools analyzes re-crafted governmental maldocs attributed to Winter Vivern. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2023-10-11 — ESET observed exploitation of a Roundcube stored-XSS zero-day (CVE-2023-5631) against European government webmail. · ref
  • 2023-03-30 — Proofpoint details exploitation of Zimbra CVE-2022-27926 to steal NATO-related webmail credentials/data. · ref
T1059.001 PowerShell TA0002
  • 2024-10-10 — MITRE G1035 notes PowerShell-based post-exploitation in Winter Vivern operations. · ref
T1119 Automated Collection TA0009
  • 2024-10-10 — MITRE technique page: Winter Vivern delivered a PowerShell script to recursively scan for files before exfiltration. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2024-10-10 — MITRE exfiltration technique: Winter Vivern exfiltrated identified files via HTTP to adversary infrastructure. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-23T04:30:40+00:00
Winter Vivern — Regional Government-Focused Espionage

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Winter Vivern is an espionage actor active since at least 2020, linked in open sources to Russian/Belarusian interests and consistently targeting European government and diplomatic entities, with episodic activity against Indian and U.S. targets. The group blends phishing/maldocs with server-side exploitation of webmail platforms (notably Roundcube and Zimbra) to steal credentials and emails, followed by lightweight post-exploitation using scripts and web-centric C2. Notable operations include exploitation of a Roundcube stored-XSS zero-day (CVE-2023-5631) in October 2023 against European government webmail servers, and 2023 campaigns abusing a Zimbra 1-day (CVE-2022-27926) against NATO-aligned interests. Capability: medium but highly effective against soft webmail perimeters; OPSEC: adequate; Confidence: high on TTPs/targeting; medium on state nexus.


Open sources characterize Winter Vivern as aligned with Russian/Belarusian strategic interests, prioritizing government ministries, foreign affairs bodies, and diplomatic staff. The actor’s tradecraft favors low-cost, reliable entry via webmail exploitation and credential phishing, consistent with sustained intelligence collection rather than effects operations. INFERENCE (state nexus confidence: medium).

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.