Winter Vivern

Winter VivernTA473UAC-0114

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET WinterVivern 2023)(Citation: Proofpoint Wint...

Techniques

Covered

Gaps

89%

Coverage

Coverage24/27

GAPS (3)

T1056.003Web Portal Capture T1583.003Virtual Private Server T1584.006Web Services

COVERED (24)

T1020Automated Exfiltration17 det.T1033System Owner/User Discovery59 det.T1036Masquerading493 det.T1036.004Masquerade Task or Service7 det.T1041Exfiltration Over C2 Channel30 det.T1053.005Scheduled Task82 det.T1059Command and Scripting Interpreter462 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.007JavaScript58 det.T1071.001Web Protocols74 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1105Ingress Tool Transfer170 det.T1113Screen Capture17 det.T1114.001Local Email Collection11 det.T1119Automated Collection11 det.T1140Deobfuscate/Decode Files or Information55 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application208 det.T1204.001Malicious Link9 det.T1566.001Spearphishing Attachment850 det.T1583.001Domains61 det.T1595.002Vulnerability Scanning12 det.