For almost a year, ESET Research has been actively watching Winter Vivern’s cyberespionage activities. As part of our usual monitoring, we discovered that on October 11th, 2023, the group started taking advantage of a zero-day XSS vulnerability in the Roundcube Webmail server. Our study indicates that this vulnerability is distinct from CVE-2020-35730, which was also exploited by the organization.
DomainTools first made knowledge of the cyberespionage group Winter Vivern public in 2021. It is believed to have been targeting governments in Europe and Central Asia since at least 2020. The gang employs phishing websites and harmful documents to compromise its targets. The attack targeted European think tanks and governmental Roundcube Webmail servers, according to ESET telemetry data.