← All Threat Actors
Threat Actor Profile

Winter Vivern

G1035 TA-473 TA473 TAG-70 UAC-0114
▲ High Threat
Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.
Origin Russia

Known TTPs

Command and Scripting Interpreter
Web Protocols
Web Portal Capture
System Owner/User Discovery
Virtual Private Server
JavaScript
Spearphishing Attachment
Masquerade Task or Service
Screen Capture
Drive-by Compromise
Automated Collection
Deobfuscate/Decode Files or Information
Automated Exfiltration
Ingress Tool Transfer
Exploit Public-Facing Application
Vulnerability Scanning
Exfiltration Over C2 Channel
Scheduled Task
Web Services
Masquerading
Domains
System Information Discovery
Windows Command Shell
Malicious Link
File and Directory Discovery
Local Email Collection
PowerShell

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD