Home / Threat Intelligence bulletins / Winter Vivern APT group exploits Zimbra vulnerability to steal NATO data

Target Industry

Defence sector organisations including:

– Government of India
– Ministry of Foreign Affairs of Ukraine
– Polish government
– Italian Ministry of Foreign Affairs.


The Russian threat actor group tracked as ‘Winter Vivern’ (a.k.a, TA473) has been actively exploiting CVE-2022-27926 (CVSSv3 Score: 6.1) on Zimbra Collaboration Suite (ZCS) endpoints, dating back to February 2023, with the objective of stealing sensitive data belonging to The North Atlantic Treaty Organization (NATO). The espionage-related activity relates to the theft of emails belonging to NATO officials and military personnel as well as US elected official targeting.

The attack chain of the campaign is initiated by the group scanning for unpatched mail platforms with the Acunetix vulnerability scanner. Following the initial reconnaissance, phishing emails are delivered from a spoofed email account appearing to originate from an entity that would be familiar to the target. The emails contain a malicious link that exploits CVE-2022-27926 in the victims’ vulnerable Zimbra infrastructure that when interacted with, leads to the injection of JavaScript payloads into the webpage. These payloads allow the threat actors to harvest sensitive data.

The attacks have been assessed to correlate with the support of Russian geopolitical objectives as they pertain to the Russia-Ukraine War.


CVE-2022-27926 involves a reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0. Successful exploitation of the security flaw allows unauthenticated threat actors to execute arbitrary web script or HTML via request parameters.

The JavaScript payloads applied within the attack chain of the current Winter Vivern campaign are used to steal usernames, passwords and tokens from cookies received from compromised Zimbra endpoints. This information allows the threat actors to access the target email accounts without any restrictions. They can subsequently access sensitive data on the compromised email accounts or maintain persistence to monitor communications over a desired time period. Moreover, the threat actors can use the compromised accounts to conduct lateral phishing attacks and advance their infiltration of the target organisations.

Containment, Mitigations & Remediations

It is strongly advised that users ensure that their devices are updated in accordance with regular patching cycles. The latest ZCS patching information can be found on the official vendor security advisory page.

ZCS users are also advised to ensure that zero-trust principles, including the enforcement of multi-factor authentication (MFA) and virtual private networks (VPN) are in force to disrupt the ability of threat actors to implement email credential hacking techniques. It is also recommended that resources on publicly facing email portals from the public internet are restricted to prevent threat actor groups, such as Winter Vivern, from performing reconnaissance techniques and engineering custom scripts capable of credential theft and logging in to target email accounts.

Indicators of Compromise

Winter Vivern associated IP addresses:


Winter Vivern associated URLs:

– hxxps://oscp-avanguard[.]com/asn15180YHASIFHOP_< redacted >_ASNfas21/auth.js
– hxxps://oscp-avanguard[.]com/settingPopImap/SettingupPOPandIMAPaccounts.html
– hxxps://troadsecow[.]com/cbzc.policja.gov.pl
– hxxps://bugiplaysec[.]com/mgu/auth.js
– hxxps://nepalihemp[.]com/assets/img/images/623930va
– hxxps://ocs-romastassec[.]com/redirect/?id=[target specific ID]&url=[Base64 Encoded Hyperlink URL hochuzhit-com.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&x_tr_pto=wapp]
– hxxps://ocspdep[.]com/inotes.sejm.gov.pl?id=[Target Specific SHA256 Hash]

Winter Vivern associated Command-and-Control (C2) domains:

– ocspdep[.]com
– bugiplaysec[.]com
– oscp-avanguard[.]com
– troadsecow[.]com
– nepalihemp[.]com

Threat Landscape

The objective of the attacks has been assessed to be the establishment of access to the email accounts of military, government and diplomatic organisations across Europe that are involved in the Russia-Ukraine conflict. As such, it is likely that the threat will persist for the remainder of 2023.

The current Winter Vivern espionage campaign follows a recently detected attack effort in which the threat actor group utilised websites masquerading as European agencies, fighting cybercrime, in an attempt to spread malware masked as a legitimate virus scanner.

Since 2021, there has been a trend of concerted attack efforts against European government, military and diplomatic entities with phishing campaigns. However, at the end of 2022, phishing campaigns were also observed to be targeting elected officials and associated staff in the US. Following the declaration of the current Russia-Ukraine conflict, there has been a commonality amongst observed targets with respect to social engineering and impersonation attacks. Such attack vectors often pertain to Ukraine in the context of armed conflict.

Threat Group

At the time of writing Winter Vivern is not considered to be ranked amongst the most sophisticated Advanced Persistent Threat (APT) groups targeting the European cyber landscape. However, they have demonstrated the ability to apply focus and persistence to their attack efforts as well as a repeatable process for compromising geopolitically exposed targets. They also follow an effective operational approach that is successful against high-profile targets who fail to apply software patches in a timely manner. This demonstrates their investment in compromising specific targets, in this case those in the European government sector. Rather than developing a ubiquitous tool and payload set, Winter Vivern invests time and resources to compromise specific entities with each JavaScript payload being custom-made for the targeted email portal.

There have been reported instances of Winter Vivern specifically targeting RoundCube mail request tokens. This detail demonstrates the diligence of the threat actors engaged in pre-attack reconnaissance efforts, allowing them to determine which portal is used by their target prior to crafting the phishing emails and setting the landing page function.

Mitre Methodologies

Initial Access Techniques:

T1189– Drive-by Compromise
T1190– Exploit Public-Facing Application
T1566.001 – Phishing: Spearphishing Attachment
T1566.002– Phishing: Spearphishing Link

Execution Techniques:

T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1204.002– User Execution: Malicious File

Persistence Technique:

T1053.005 – Scheduled Task/Job: Scheduled Task

Defence Evasion Techniques:

T1036 – Masquerading
T1070.004 – Indicator Removal: File Deletion
T1497.003– Virtualization/Sandbox Evasion: Time Based Evasion
T1564.003 – Hide Artifacts: Hidden Window

Collection Technique:

T1005 – Data from Local System

Command-and-Control Techniques:

T1071.001 – Application Layer Protocol: Web Protocols
T1105– Ingress Tool Transfer
T1132.001 – Data Encoding: Standard Encoding
T1573.002– Encrypted Channel: Asymmetric Cryptography

Exfiltration Techniques:

T1041– Exfiltration Over C2 Channel

Further Information

Proofpoint Blog

Intelligence Terminology Yardstick