Winter Vivern

Winter VivernTA473UAC-0114

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET WinterVivern 2023)(Citation: Proofpoint Wint...

Techniques

Covered

Gaps

89%

Coverage

Coverage24/27

GAPS (3)

T1056.003Web Portal Capture T1583.003Virtual Private Server T1584.006Web Services

COVERED (24)

T1020Automated Exfiltration20 det.T1033System Owner/User Discovery61 det.T1036Masquerading525 det.T1036.004Masquerade Task or Service7 det.T1041Exfiltration Over C2 Channel31 det.T1053.005Scheduled Task99 det.T1059Command and Scripting Interpreter486 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.007JavaScript61 det.T1071.001Web Protocols80 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1105Ingress Tool Transfer183 det.T1113Screen Capture18 det.T1114.001Local Email Collection11 det.T1119Automated Collection12 det.T1140Deobfuscate/Decode Files or Information58 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application216 det.T1204.001Malicious Link10 det.T1566.001Spearphishing Attachment905 det.T1583.001Domains61 det.T1595.002Vulnerability Scanning12 det.