Home/Threat Actor/Winter Vivern / TA473 (TAG-70)
Threat Actor

Winter Vivern / TA473 (TAG-70)

winter_vivern_ta473 · russia_belarus · active since 2020-12

Winter Vivern / TA473 (canonical ESET / SentinelLabs Winter Vivern.

Proofpoint TA473.

Recorded Future TAG-70.

Ukrainian CERT-UA UAC-0114) is a Russia-aligned and Belarus-aligned cyber-espionage cluster active publicly since at least December 2020, one of the most operationally consistent Russia-and-Belarus-aligned cyber-espionage clusters during the Russia-Ukraine war era.

primary operational mission objectives are intelligence collection from NATO member governments, EU member governments, Ukraine, Central Asia, and adjacent diplomatic targets through webmail-server exploitation tradecraft.

operationally distinct from broader Russia-aligned clusters (apt28, apt29, sandworm, turla, gamaredon, cadet_blizzard, star_blizzard, dragonfly) through Russia-AND-Belarus dual-alignment operational pattern, signature webmail-server (Roundcube + Zimbra) exploitation specialization, "relatively unsophisticated" operational tradecraft profile, and signature target-list coordination with APT28 (Russian GRU Unit 26165)

signature tradecraft includes XSS exploitation via SVG-tag-with-base64-payload in HTML emails impersonating "Outlook Team", in-browser email-folder enumeration + email-message exfiltration via JavaScript malware executed in victim's Roundcube browser context, custom PowerShell backdoor, compromised WordPress sites for staging infrastructure, rotating VPS nodes in Russia and Belarus.

canonical October 2023 exploitation of CVE-2023-5631 Roundcube XSS 0day operationally escalated cluster from known-vulnerability exploitation to 0day operational use.

Recorded Future Insikt Group February 2024 TAG-70 canonical disclosure documented 80+ organizations targeted October-December 2023 across Georgia, Poland, Ukraine, Iranian embassies in Moscow + Netherlands, Georgia's embassy in Sweden, and Uzbekistan government mail servers.

ESET-documented possible low-confidence operational connection to MoustachedBouncer (Belarus-aligned) suggests common infrastructure provider.

fills Russia-AND-Belarus- aligned dual-alignment webmail-server-exploitation specialization cell in the curated corpus.

russia_belarus confidence: high 15 aliases MITRE ATT&CK G1035 ↗
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited6

Profile

Winter Vivern / TA473 (canonical ESET / SentinelLabs naming Winter Vivern.

Proofpoint canonical TA473.

Recorded Future Insikt Group canonical TAG-70 / Threat Activity Group 70; Ukrainian CERT-UA canonical UAC-0114) is a Russia-aligned and Belarus-aligned cyber-espionage cluster active publicly since at least December 2020, with primary operational mission objectives of intelligence collection from NATO member governments, EU member governments, Ukraine, Central Asia, and adjacent diplomatic targets through webmail-server exploitation tradecraft. The cluster is one of the most operationally consistent Russia-and-Belarus-aligned cyber- espionage clusters during the Russia-Ukraine war era and is operationally distinguished from the broader Russia-aligned clusters already curated in this corpus (apt28_fancybear, apt29_cozybear, sandworm_team, turla, gamaredon, cadet_blizzard, star_blizzard_callisto, dragonfly_energetic_bear, indrik_spider_evilcorp, noname057_16, killnet) through (a) explicit Russia-AND- Belarus dual-alignment operational pattern.

(b) signature webmail-server (Roundcube + Zimbra) exploitation targeting as primary initial-access vector.

(c) "relatively unsophisticated" operational tradecraft profile distinct from APT28/APT29 operational sophistication.

(d) signature target-list coordination with APT28 (Russian GRU Military Intelligence Unit 26165) suggesting operational coordination pattern.

Operational phases of the cluster's longitudinal history: (1) OPERATIONAL EMERGENCE ERA (December 2020
  • 2021). Earliest documented operations from December 2020 (Recorded Future, ESET). SentinelLabs notes the cluster "first appeared on the radar in April 2021", but earliest tracked operations extend back to December 2020. Earliest operations established the operational pattern of government entity targeting via phishing and webmail server exploitation. (2) NATO + EU GOVERNMENT TARGETING ERA (2021-2022). The cluster operations expanded to target NATO member governments and EU governments. Documented targets: India, Italy, Lithuania, Ukraine, Vatican. The 2021-2022 era operationally established the cluster's signature NATO + EU government targeting pattern. (3) ZIMBRA + ROUNDCUBE WEBMAIL EXPLOITATION ERA (2022+). Since at least 2022 Winter Vivern targeted Zimbra Collaboration and Roundcube email servers of government organizations in Europe and Central Asia using known vulnerabilities for which proof-of-concept (PoC) exploits are available online. (4) ZERO-DAY OPERATIONAL ESCALATION ERA (October 2023). In October 2023, Winter Vivern operations exploited CVE-2023- 5631, a then-zero-day cross-site scripting (XSS) vulnerability in the Roundcube open-source webmail server, operationally escalating from known-vulnerability exploitation to 0day operational use. ESET researchers discovered the 0day exploitation on October 11, 2023; Roundcube released security patches on October 16, 2023. (5) TAG-70 RECORDED FUTURE DISCLOSURE + CONTINUED OPERATIONS ERA (February 2024.
  • Present). Recorded Future Insikt Group February 2024 disclosure documented 80+ organizations targeted October-December 2023 across Georgia, Poland, Ukraine, Iranian embassies (Moscow + Netherlands), Georgia's embassy in Sweden, Uzbekistan government mail. Continued operations through 2024-2026 with sustained operational tempo and continued infrastructure rotation.
Signature operational tradecraft includes
  • Roundcube + Zimbra webmail server exploitation as primary initial-access vector: signature operational pattern distinguishable from broader Russia-aligned clusters with endpoint-malware-focused tradecraft.
  • XSS (Cross-Site Scripting) exploitation via SVG tag payload in HTML emails: signature delivery format, HTML email messages with subject line "Get started in your Outlook" from sender impersonating "Outlook Team"; an SVG tag at the end of the email contains a base64-encoded malicious JavaScript payload hidden from the user but present in the HTML source code.
  • In-browser email-folder enumeration and email-message exfiltration: JavaScript malware injected via XSS executes in the context of the victim's browser, providing capability to list all folders and emails in the Roundcube email account and exfiltrate email messages to attacker-controlled C2 servers via HTTP requests.
  • 0day exploitation capability acquisition (October 2023): operational escalation from known-vulnerability exploitation to 0day operational use, ESET noted "Winter Vivern has stepped up its operations.".
  • Custom PowerShell backdoor + custom JavaScript malware: signature endpoint capabilities for targets where browser- only access is insufficient.
  • Compromised WordPress sites for staging infrastructure: signature operational tradecraft of using compromised legitimate WordPress sites as staging infrastructure for payload delivery.
  • Rotating VPS nodes in Russia and Belarus: signature infrastructure rotation pattern documented by Brandefense.
  • "Relatively unsophisticated" but persistent operational profile: per ESET, operational success driven by consistent operational tempo and exploitation of unpatched internet-facing applications rather than tradecraft sophistication.
  • Target-list coordination with APT28 (Russian GRU Unit 26165): ESET documented overlapping target sets and shared CVE-2020-35730 exploitation with APT28 (curated separately as apt28_fancybear.yaml), operationally suggesting coordination pattern.
  • Possible MoustachedBouncer (Belarus-aligned) operational connection: ESET researchers note "low level of confidence" potential connection, both clusters share similar network infrastructure suggesting a common entity provides infrastructure to both groups.
  • Russia-Ukraine war operational tempo escalation: cluster operational tempo has demonstrated escalation patterns coinciding with broader Russia-Ukraine war operational requirements, operationally consistent with Russia-aligned and Belarus-aligned strategic operational priorities. The cluster fills the Russia-AND-Belarus-aligned dual- alignment webmail-server-exploitation specialization cell in this curated corpus, complementing the broader Russia- aligned cluster coverage (apt28_fancybear, apt29_cozybear, sandworm_team, turla, gamaredon, cadet_blizzard, star_blizzard_callisto, dragonfly_energetic_bear, indrik_spider_evilcorp). Winter Vivern is operationally distinct from these adjacent Russia-aligned clusters through (a) Russia-AND-Belarus dual-alignment operational pattern; (b) signature webmail-server-exploitation specialization; (c) "relatively unsophisticated" but persistent operational profile; (d) signature operational coordination with APT28.

Aliases

15
winter vivernwinter-vivernwinter_vivernwintervivernta473ta-473tag-70tag70threat activity group 70uac-0114uac0114storm_winter_vivernwinter vivern aptwinter_vivern_ta473ta473 winter vivern

Notable Campaigns

9
2024-2026Continued Operations and Persistent Threat Profile (2024-Present)
2024Recorded Future TAG-70 Canonical Disclosure (February 2024)
2023-2024Target Overlap with APT28 (Russian GRU Unit 26165)
2023Moldova + Tunisia Zimbra Exploitation Campaign (July 2023)
2023CVE-2020-35730 Roundcube Exploitation Campaign (August-September 2023)
2023CVE-2023-5631 Roundcube 0day Exploitation Campaign (October 2023)
2022Zimbra and Roundcube Email Server Exploitation Era (2022+)
2021-2022NATO Member Government Targeting (2021-2022)
2020Winter Vivern Operational Emergence (December 2020)

Attribution & Reporting

Attributed by
ESETSentinelLabs (SentinelOne)ProofpointRecorded Future Insikt GroupUkrainian CERT-UAMicrosoft Threat Intelligence CenterMandiantCrowdStrikeTrend MicroSymantec / Broadcom Threat Hunter TeamPwC Threat IntelligenceLab52 (S2 Grupo)Cluster25SOCRadarBrandefense
Key reporting
reportESET (Matthieu Faou): Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers (October 25, 2023), canonical ESET CVE-2023-5631 0day disclosure
reportSentinelLabs: Winter Vivern, Uncovering a Wave of Global Espionage Targeting Government Entities (multiple analyses)
reportProofpoint: Exploitation of Zimbra Vulnerabilities by Attack Cluster Tied to Russia-Aligned TA473 (multiple analyses)
reportRecorded Future Insikt Group: Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign (February 2024), canonical TAG-70 fourth-vendor disclosure
reportUkrainian CERT-UA: UAC-0114 Operational Tracking (multiple advisories)
reportMicrosoft Threat Intelligence: Russia-Aligned Cluster Tracking, Winter Vivern Adjacent Activity
reportMandiant: Russia-Aligned Cluster Tracking
reportCrowdStrike: Russia-Aligned Cluster Tracking, Winter Vivern Operational Profile
reportTrend Micro: NATO + EU Government Targeting Cluster Tracking
reportSymantec / Broadcom: Russia-Aligned Cluster Continued Tracking
reportPwC Threat Intelligence: Winter Vivern Operational Profile
reportLab52 (S2 Grupo): Winter Vivern Operational Analysis
reportCluster25: Winter Vivern Continued Tracking
reportSOCRadar: Winter Vivern Tracking
reportBrandefense: Winter Vivern (TAG-70 / UAC-0114 / TA473), A Persistent Eastern European Cyber-Espionage Threat Targeting NATO And EU Governments (2026)
reportMoustachedBouncer Comparative Analysis (ESET), possible low-confidence operational infrastructure connection

Operational

State sponsor

Russia-aligned and Belarus-aligned cyber-espionage cluster. ESET, SentinelLabs, Proofpoint, Recorded Future Insikt Group, Ukrainian CERT-UA, and the broader industry vendor ecosystem consistently track the cluster as Russia-aligned and Belarus- aligned with operational interests closely aligned with "governments of Russia and Belarus", operational targeting patterns operationally consistent with both Russian and Belarusian state-aligned operational priorities. ESET researchers note "Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities." ESET researchers also note a potential "low level of confidence" connection to MoustachedBouncer (a Belarus- aligned group conducting attacks against foreign diplomats in Belarus), both clusters share similar network infrastructure suggesting a common entity provides infrastructure to both groups. Recorded Future Insikt Group assesses TAG-70 as "likely operating on behalf of Belarus and Russia, conducting cyber-espionage against government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020." No formal attribution to a specific Russian or Belarusian government agency has been asserted by any government cybersecurity authority, the cluster has not been formally attributed to a specific intelligence-service unit. The cluster operates independently of but in operational alignment with more prominent Russian-state-aligned clusters: ESET notes Winter Vivern has been observed exploiting Roundcube vulnerability CVE-2020-35730 against the same entities also targeted by APT28 (formally Russian GRU Military Intelligence Unit 26165 per US government attribution), operationally suggesting shared target-list coordination between Winter Vivern and APT28 (curated separately as apt28_fancybear.yaml). The Russia-and-Belarus dual-alignment operational pattern operationally distinguishes Winter Vivern from purely Russian-attributed clusters (apt28, apt29, sandworm, turla, gamaredon, cadet_blizzard, star_blizzard_callisto) and reflects the broader operational coordination between Russian and Belarusian state-aligned cyber operations during the Russia-Ukraine war era. The cluster's operational tradecraft is characterized by ESET as "relatively unsophisticated" but effective due to consistent operational tempo and exploitation of unpatched internet-facing applications. SentinelLabs analysis suggests the cluster's operational objectives "closely align with the interests of the Belarusian and Russian governments." The cluster is operationally distinct from the broader Russia-aligned clusters already curated in this corpus through (a) explicit Russia-AND-Belarus dual-alignment operational pattern.

(b) signature webmail-server (Roundcube + Zimbra) exploitation targeting.

(c) signature NATO + EU government + Ukraine + Central Asia targeting.

(d) "relatively unsophisticated" operational tradecraft profile distinct from APT28/APT29 operational sophistication levels.

Motivations
cyber_espionage_intelligence_collection, government_email_surveillance, military_communications_intelligence, diplomatic_intelligence_collection, russia_ukraine_war_intelligence_support, belarusian_state_aligned_intelligence_support, nato_eu_government_targeting, long_term_persistent_access_maintenance
Sectors
government_administrationmilitaryforeign_affairs_ministriesembassies_and_diplomatic_missionsgovernment_military_webmail_serversthink_tankstelecommunicationstransport_sectoreducation_sectorchemical_research_organizationsbiological_research_organizations
Regions
ukrainepolandgeorgialithuanialatviaestoniaitalyindiavaticanmoldovatunisiaslovakiaczech_republicuzbekistannato_aligned_countrieseu_aligned_countriescentral_asia_broadlyiran (selected embassies in moscow and netherlands)

Techniques Used

60
T1003T1005T1010T1012T1016T1020T1021T1021.001T1027T1027.002T1027.010T1029T1033T1036T1036.005T1041T1053T1053.005T1057T1059T1059.001T1059.007T1068T1069T1070T1070.004T1071T1071.001T1071.004T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1095T1106T1110T1112T1114T1114.001T1114.002T1119T1129T1136T1140T1190T1203T1204T1204.001T1204.002T1213T1218T1518T1518.001T1543T1543.003T1547

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)58/60 · 96%
Analytics (MITRE CAR)32/60 · 53%
Runtime / container (Falco)8/60 · 13%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

CVEs Exploited

6
CVECVE-2017-11882
CVECVE-2020-35730
CVECVE-2022-27924
CVECVE-2022-30333
CVECVE-2023-43770
CVECVE-2023-5631
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin