Winter Vivern (TAG-70 / UAC-0114 / TA473): A Persistent Eastern European Cyber-Espionage Threat Targeting NATO and EU Governments

Introduction

The “Winter Vivern,” or TAG-70, UAC-0114 and TA473, has been among the most aggressive actors in espionage targeting European and NATO affiliated entities; They have been active since at least 2020, dynamically developing new and improved ways of achieving their objective of espionage throughout 2024–2025 by taking advantage of weaknesses in the system or utilizing legitimate services elsewhere, using highly customized phishing efforts to penetrate government, foreign, telecommunications, military, etc.

The Winter Vivern is Apollo’s ultimate objective, a politicized APT Group that can be reasonably expected to support the Russian and Belarusian states; Their actions will typically correspond with ultimately changing political/military conflicts between/around Eastern Europe directed into Ukraine and NATO support; While their Tools are relatively unimposing, they are very effective and are regularly seen to use low/no detection scripts (Shells) and Auto-execs hosted on Web safe/compromised servers to allow them to remain active within extremely sensitive environments.

Identity & Motivation

Attribution: Attribution: Analysts attribute Winter Vivern with links to UNC groups associated with Belarus , as well as working in conjunction with Russian intelligence operations. Analysts designate Winter Vivern as a state-sponsored espionage actor that has an operational connection to many of the same Russian strategic efforts.

Aliases:
– TAG-70 (Google Threat Intelligence)
– UAC-0114 (Ukrainian CERT)
– TA473 (Proofpoint)

Active Since: Winter Vivern has been active since 2020, with increasing focus on targeting through 2025.

Motivation: Intelligence gathering, long-term persistence, credential theft, disruption of military communication to adversary.

Winter Vivern’s primary target area is political, military and diplomatic intelligence collection through continuous efforts at intelligence collection (maintaining continuous access is the goal rather than financial), rather than through immediate financial acquisition.

Tactics, Techniques, and Procedures (TTPs)

Winter Vivern uses the same toolset over and over and utilizes fairly basic penetration tactics.

Initial Access

• Spear phishing e-mails to NATO and EU government and military personnel
•  Creation of fake government documents used to collect credentials by sending e-mails containing a link to a credential-collecting portal
• Exploitation of vulnerabilities in publicly accessible systems, including the following:
  • Vulnerabilities in the Zimbra Collaboration Suite (widely used by government e-mail systems)
  • JavaScript injection vulnerabilities                   
• Successful compromise of a variety of Ukrainian and European government websites.

Execution & Tooling

• Lightweight PowerShell loaders.
• Web-based custom malware frameworks (“WSS Loader”).
• HTML smuggling for initial script delivery.
• Proxy-based malware execution to avoid endpoint detection.

Winter Vivern disguises its malware as legitimate document loaders to minimize detection while executing their malicious activities.

Persistence

• Malicious cron jobs and scheduled tasks.
• Browser credential harvesting.
  Continuous refresh of phishing infrastructure and fake login portals.

Command & Control (C2)

• Use of compromised WordPress sites.
• Rotating VPS nodes in Russia and Belarus.
• Encrypted HTTP/HTTPS communication.

Lateral Movement & Collection

Targeted collection of military, diplomatic, and telecom intelligence.

Credential harvesting via fake SSO portals.

Network reconnaissance scripts.

Notable Operations (2020–2025)

Winter Vivern has frequently targeted regions of Eastern Europe, coinciding with larger geopolitical changes.

2020 – Initial Tracking and Early Espionage Activity

• The first large-scale operations targeted various Eastern European governmental agencies.
• Phishing lures related to the COVID-19 pandemic and NATO notifications, in addition to EU correspondence.

2021 – Targeting of Diplomats and Government Organizations

• Major operation efforts were concentrated on Poland, Ukraine and other Baltic States.
• Credential harvesting performed via spoofed governmental agency portals.

2022 – Escalation During Russia–Ukraine Conflict

• Escalation of Activity in connection with Russia-Ukraine Conflict
• Increased targeting of Critical Infrastructure in Ukraine.
• Penetration of European diplomatic communications supporting Ukraine.

2023 – Expansion Into Telecom & Military Sectors

• Attacks on European telecoms to steal Military communications through interception.
• Use of Web Inject Malware and Multi-stage Phishing.

2024 – Sophisticated NATO & EU Credential Operations

• Used advanced Phishing toolkits.
• Targeted Cross-border phishing campaigns related to European Parliament, diplomats and researchers.

2025 – Continued Activity & Infrastructure Refresh

• Renewed activity of exploiting Zimbra vulnerabilities
• New phishing domains mimicking EU Agencies and Military coordination platforms.

Recent Developments

Through 2024-2025, Winter Vivern has continued to evolve as they increase their operational maturity. Examples of this include:

• Multi Layer Staging Servers – Used to hide operator activity.
• More extensively using cloud-based email evasion and HTML Smuggling.
• Targeted attacks against Defense Contractors and Satellite Communication Providers.
• Integration of MFA Bypass Phishing Components.
• Increased Anti-Analysis Features in their web shells and loaders.

Additionally, Winter Vivern has begun using AI-assisted content generation to create more authentic, multilingual Phishing Lures.

Target Profile

• Primary Sectors: Government, military, diplomatic missions, telecom, defense contractors, research institutes.
• Geographic Focus: Ukraine, Poland, Lithuania, Latvia, Germany, France, United States (NATO-aligned entities).

Strategic Impact

Winter Vivern’s threat level is significant due to the fact that:

• They have a strong focus on government and military Intelligence, specifically High Value Political and Military Intelligence.
• They have the ability to compromise widely used email systems, such as Zimbra.
• They are aligned with the geopolitical maneuverings of Russia’s strategic objectives.
• They quickly adapt to the latest security measures in regards to previously exploited vulnerabilities and Indicators of Compromise (IOCs).

Successful intrusions by Winter Vivern could result in: 

• Compromise of Diplomatic Communications.
• Compromise of Classified/Sensitive Governmental Data.
• Disruption of Military coordination.
• Permanent Loss of Intelligence.

Conclusion

Winter Vivern (TAG-70, UAC-0114, TA473) is an example of modern state-sponsored espionage actor. Stealthy, persistent, and highly adaptable, Winter Vivern targets NATO, EU and the Ukrainian government as a clear sign of their geopolitical motivations and their strategic threat as an espionage actor.

As Winter Vivern grows in capabilities, organisations must take action to prioritise:

– Hardened email infrastructure
– Continuous vulnerability management (especially Zimbra and webmail platforms)
– Advanced phishing detection
– Strong authentication practices
– Real-time monitoring of public-facing systems

In terms of predicting the Winter Vivern threat landscape or the operational scope of Winter Vivern in 2025 – this is part of a broader trend towards espionage actors taking advantage of the availability of low-cost/high-performance tools in order to achieve high-impact intelligence outcomes. Winter Vivern is at the cutting edge of this evolution.

You can download and review the sheet for all the details!