Saint Bear
Aliases: Storm-0587, TA471, UAC-0056, Lorec53
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities. Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Open interactive actor investigation
ATT&CK techniques
T1566.001
Spearphishing AttachmentT1203
Exploitation for Client ExecutionT1059.007
JavaScriptT1589.002
Email AddressesT1497
Virtualization/Sandbox EvasionT1059.003
Windows Command ShellT1553.002
Code SigningT1204.001
Malicious LinkT1027.013
Encrypted/Encoded FileT1656
ImpersonationT1059.001
PowerShellT1204.002
Malicious FileT1059
Command and Scripting InterpreterT1583.006
Web ServicesT1608.001
Upload MalwareT1562.001
Disable or Modify ToolsT1027.002
Software PackingT1112
Modify Registry
Spearphishing AttachmentT1203
Exploitation for Client ExecutionT1059.007
JavaScriptT1589.002
Email AddressesT1497
Virtualization/Sandbox EvasionT1059.003
Windows Command ShellT1553.002
Code SigningT1204.001
Malicious LinkT1027.013
Encrypted/Encoded FileT1656
ImpersonationT1059.001
PowerShellT1204.002
Malicious FileT1059
Command and Scripting InterpreterT1583.006
Web ServicesT1608.001
Upload MalwareT1562.001
Disable or Modify ToolsT1027.002
Software PackingT1112
Modify Registry