Winter Vivern

216.73.217.22

· Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 · Source: The MITRE Corporation

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 27/03/2026 01:14
Updated at: 27/03/2026 01:14
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 37 attack patterns (mitre), 6 malware, 5 sectors, 8 countries, 27 indicators, 3 vulnerabilities (cve)

Aliases

UAC-0114 TA473

Description

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET WinterVivern 2023)(Citation: Proofpoint WinterVivern 2023)

Marking (TLP)

External references

Related entities

https://ocs-romastassec.com/redirect/?id=[target indicates
hitsbitsx.com indicates
https://troadsecow.com/cbzc.policja.gov.pl indicates
marakanas.com indicates
ocspdep.com indicates
ocs-romastassec.com indicates
https://oscp-avanguard.com/asn15180YHASIFHOP_ indicates
troadsecow.com indicates
security-ocsp.com indicates
ocsp-reloads.com indicates
https://ocs-romastassec.com/goog_comredira3cf7ed34f8.php indicates
http://ocs-romastassec.com/goog_comredira3cf7ed34f8.php indicates
https://marakanas.com/Kkdn7862Jj6h2oDASGmpqU4Qq4q4.php indicates
https://nepalihemp.com/assets/img/images/623930va indicates
https://natply.com/wordpress/wp-includes/fonts/ch/097214o indicates
bugiplaysec.com indicates
6800357ec3092c56aab17720897c29bb389f70cb49223b289ea5365314199a26 indicates
https://bugiplaysec.com/mgu/auth.js indicates
https://applesaltbeauty.com/wordpress/wp-includes/widgets/classwp/521734i indicates
https://ocs-romastassec.com/goog_comredira3cf7ed34f8.php' indicates
oscp-avanguard.com indicates
recsecas.com indicates
https://oscp-avanguard.com/settingPopImap/SettingupPOPandIMAPaccounts.html indicates
ea22b3e9ecdfd06fae74483deb9ef0245aefdc72f99120ae6525c0eaf37de32e indicates
https://marakanas.com/Kkdn7862Jj6h2oDASGmpqU4Qq4q4.php?idU=$a indicates
nepalihemp.com indicates
https://ocspdep.com/inotes.sejm.gov.pl?id=[Target indicates

Winter Vivern

Essential information

Aliases

Description

Marking (TLP)

External references

Related entities

Attack patterns (MITRE) (37)

Malware (6)

Sectors (5)

Countries (8)

Indicators (27)

Vulnerabilities (CVE) (3)