December 12, 2023

Winter Vivern (aka TA473 and UAC-0114), a threat actor strongly aligned with Russia, is once again making headlines for targeting government organizations in Europe.

The group was found to exploit a zero-day vulnerability in the Roundcube webmail servers to compromise the targeted systems remotely.


The vulnerability tracked as CVE-2023-5631 is a Cross-Site scripting issue in RoundCube, which could be exploited remotely by sending a specially crafted email message. The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

In this campaign, the emails were sent from the address team.managment@outlook[.]com with the subject line ‘Get started in your Outlook’. These emails included a malicious SVG file that contained a base64-encoded payload. 

Once the payload is decoded, it leads to the execution of JavaScript code in the victim’s browser. The JavaScript injection worked even on fully patched Roundcube instances. 

Winter Vivern has been exploiting previously known vulnerabilities in RoundCube and  Zimbra email servers as part of its infection process to launch attacks against European entities. It abused CVE-2020-35730 in RoundCube in a campaign between August and September. 


Despite the low sophistication of the group’s toolset, Winter Vivern remains a significant threat to organizations in Europe. Hence, it is recommended to apply the latest security patches to mitigate the risk of such attacks. Refer to IoCs containing file hashes and malicious domains to block the threat at the initial stage.

Indicators of Compromise

  • 97ED594EF2B5755F0549C6C5758377C0B87CFAE0
  • BF7FCC70F6CE032217D9210EF30314DDD6B8135
  • 38.180.76[.]31
  • recsecas[.]com
  • team.managment@outlook[.]com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.