Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Winter Vivern

🌐Winter Vivern

🌐 Winter Vivern is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 27 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1035) ↗
14Use cases
0Articles
27Techniques
0IOCs

About this actor (MITRE)

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET WinterVivern 2023)(Citation: Proofpoint Wint

Known aliases

Winter VivernTA473UAC-0114

Top techniques

T1020 · Automated ExfiltrationT1033 · System Owner/User DiscoveryT1036 · Masquerading

All other tracked techniques

T1036.004 · Masquerade Task or ServiceT1041 · Exfiltration Over C2 ChannelT1053.005 · Scheduled TaskT1056.003 · Web Portal CaptureT1059 · Command and Scripting InterpreterT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.007 · JavaScriptT1071.001 · Web ProtocolsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1105 · Ingress Tool TransferT1113 · Screen CaptureT1114.001 · Local Email CollectionT1119 · Automated CollectionT1140 · Deobfuscate/Decode Files or InformationT1189 · Drive-by CompromiseT1190 · Exploit Public-Facing ApplicationT1204.001 · Malicious LinkT1566.001 · Spearphishing AttachmentT1583.001 · DomainsT1583.003 · Virtual Private ServerT1584.006 · Web ServicesT1595.002 · Vulnerability Scanning

Detection use cases (14)

Winter Vivern (TA473 / UAC-0114) macro-borne PowerShell creating scheduled task with embedded URL/encoded payload AI · profile S Winter Vivern lookalike-domain egress from PowerShell / LOLBins (gov / MFA / OSCE typosquat C2) AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match