From 82b347682ce23aae7a176c0ee6fbfacdd48270d4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 20 Feb 2024 05:22:26 -0800 Subject: [PATCH] [threat-actors] Add Winter Vivern aliases --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c2890be..b95b4dd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12584,16 +12584,21 @@ { "description": "Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.", "meta": { + "country": "RU", "refs": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/", "https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs", "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/", "https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability", - "https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/" + "https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/", + "https://cybersecuritynews.com/russian-hackers-xss-flaw/", + "https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail" ], "synonyms": [ "UAC-0114", - "TA473" + "TA473", + "TAG-70", + "TA-473" ] }, "uuid": "b7497d28-02de-4722-8b97-1fc53e1d1b68",