From 7bb54037e889784d800139cf6a65a4b44f6d6307 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Fri, 3 Nov 2023 11:13:11 +0100
Subject: [PATCH] [threat-actors] Add Winter Vivern

---
 clusters/threat-actor.json | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5136bf1e..1b0f32e8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12135,6 +12135,24 @@
       },
       "uuid": "0ee7be4f-389f-4083-a1e4-4c39dc1ae105",
       "value": "Xiaoqiying"
+    },
+    {
+      "description": "Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.",
+      "meta": {
+        "aliases": [
+          "UAC-0114",
+          "TA473"
+        ],
+        "refs": [
+          "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/",
+          "https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs",
+          "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/",
+          "https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability",
+          "https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/"
+        ]
+      },
+      "uuid": "b7497d28-02de-4722-8b97-1fc53e1d1b68",
+      "value": "Winter Vivern"
     }
   ],
   "version": 288