← threatfilter.dev / all groups / Saint Bear
Saint Bear
Also known as: Storm-0587 · TA471 · UAC-0056 · Lorec53
Overview
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities. Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
TTPs — 18 techniques across 6 tactics
Reconnaissance
-
T1589.002Email Addresses
Resource Development
-
T1583.006Web Services -
T1608.001Upload Malware
Initial Access
-
T1566.001Spearphishing Attachment
Execution
-
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.007JavaScript -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File
Stealth
-
T1027.002Software Packing -
T1027.013Encrypted/Encoded File -
T1497Virtualization/Sandbox Evasion -
T1684.001Impersonation
Defense Impairment
-
T1112Modify Registry -
T1553.002Code Signing -
T1685Disable or Modify Tools
Tools & malware (2)
OutSteel · Saint Bot