The zero-day exploit deployed by the Winter Vivern APT group only requires that the target views a specially crafted message in a web browser