G1031: Saint Bear
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Analyst context for executives and security teams
Saint Bear matters as a phishing-led intrusion cluster because ATT&CK describes it as using malicious documents, web-staged files, impersonation of government or related entities, and Windows malware such as OutSteel and Saint Bot. For leaders, the practical issue is not the name of the group; it is whether the organization can prove that email, web download, endpoint execution, scripting, and malware-obfuscation controls work together when a targeted user is persuaded to open a file or click a link.
Executive priority
Prioritize this as a validation case for targeted phishing resilience, endpoint visibility, and incident-response readiness, especially for organizations with exposure to Ukraine, Georgia, government-related communications, or lookalike trusted-entity messaging. The ATT&CK relationships point to a chain where reconnaissance of email addresses, impersonation, staged malware, user execution, scripting, registry changes, obfuscation, sandbox evasion, and possible security-tool impairment can all affect response speed and audit evidence. Executives should ask whether the SOC can reconstruct the full path from email or web delivery to endpoint execution and containment, not just whether a phishing gateway is deployed.
Technical view
ATT&CK provides no group-level detection text and no group-level platforms, but related software and techniques provide a defensible validation scope. SOC and IR teams should test visibility for spearphishing attachments, malicious links, web-staged payloads, Windows execution through PowerShell, cmd, and JavaScript/JScript, registry modification, packed or encoded files, code-signing trust decisions, sandbox-evasion behavior, and tampering with security tooling. Because OutSteel is described as a Windows AutoIT file uploader/document stealer and Saint Bot as a Windows .NET downloader, Windows endpoint telemetry is especially important where those software relationships are in scope.
Likely telemetry
- Email security logs for spearphishing attachments, malicious links, sender impersonation, and government or trusted-entity spoofing patterns
- Web proxy, DNS, and secure web gateway logs for web-staged files and downloads from third-party or adversary-controlled services
- Endpoint process creation telemetry for PowerShell, Windows command shell, JavaScript/JScript execution, and child processes from document or archive handlers
- File telemetry for packed, encrypted, encoded, signed, or unusual document-related payloads
- Windows Registry modification events tied to persistence, execution, or defense impairment
Detection direction
- Do not rely on a single indicator or signature: ATT&CK relationships include packing, encoded files, code signing, and sandbox evasion, all of which can weaken static and automated-analysis-only approaches.
- Correlate email or web delivery with endpoint execution, especially user-opened files, links, script interpreters, registry changes, and follow-on downloader or document-stealer behavior.
- Tune detections for suspicious script execution from office documents, archives, downloaded files, or web-staged content while accounting for legitimate administrative PowerShell and command-shell usage.
- Validate alerting on security-tool degradation or tampering; this is material because ATT&CK links the group to Disable or Modify Tools.
- Use alias-aware threat-intelligence handling: Saint Bear is also listed as Storm-0587, TA471, UAC-0056, and Lorec53, and ATT&CK notes prior confusion with Ember Bear, so cluster naming should not be the sole basis for escalation.
Mitigation priorities
- Harden phishing defenses first: attachment detonation, link analysis, impersonation controls, and user-reporting workflows should be measurable and tested against targeted lures.
- Reduce user-execution risk with controls for document-delivered code, downloaded files, script interpreters, and application control where appropriate.
- Strengthen Windows endpoint prevention and logging for PowerShell, cmd, JavaScript/JScript, registry modification, signed-binary trust decisions, and packed or encoded payload handling.
- Prioritize vulnerability management for client applications that process documents, links, and web content because ATT&CK links the group to Exploitation for Client Execution.
- Protect and monitor security tooling so EDR, AV, logging agents, and related sensors cannot be silently disabled or modified without detection.
Analyst notes and limits
This take is based on the ATT&CK Saint Bear intrusion-set object, its aliases, official description, external references, and listed uses of OutSteel, Saint Bot, and related techniques. The strongest defensive reading is a phishing and web-staging intrusion pattern with Windows malware relationships and multiple evasion and execution behaviors. ATT&CK also states that Saint Bear has been confused with Ember Bear, so analysts should separate behavior-based findings from naming or attribution labels.
ATT&CK provides no official detection section, no group-level platforms, and no tactics directly on the Saint Bear object. Platform and tactic guidance here is derived only from supplied relationships, especially Windows-linked software and techniques. Local telemetry, business geography, exposed user populations, and actual control configuration are required to determine relevance and coverage.
Saint Bear
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Saint Bear uses a variety of file formats, such as Microsoft Office documents, ZIP archives, PDF documents, and other items as phishing attachments for initial access.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1203 | Exploitation for Client Execution | Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Saint Bear has delivered malicious Microsoft Office files containing an embedded JavaScript object that would, on execution, download and execute OutSteel and Saint Bot.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | Saint Bear gathered victim email information in advance of phishing operations for targeted attacks.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Saint Bear contains several anti-analysis and anti-virtualization checks.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Saint Bear has used an initial loader malware featuring a legitimate code signing certificate associated with "Electrum Technologies GmbH."CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022CitationCadet Blizzard emerges as novel threat actor |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1685 | Disable or Modify Tools | Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1684.001 | Impersonation Sub-technique | Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.CitationCadet Blizzard emerges as novel threat actor |
| Enterprise | T1059.001 | PowerShell Sub-technique | Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Saint Bear relies on user interaction and execution of malicious attachments and similar for initial execution on victim systems.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1059 | Command and Scripting Interpreter | Saint Bear has used the Windows Script Host (wscript) to execute intermediate files written to victim machines.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1583.006 | Web Services Sub-technique | Saint Bear has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Saint Bear has used the Discord content delivery network for hosting malicious content referenced in links and emails.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1112 | Modify Registry | Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
Groups, software, and campaigns
S1017: OutSteel
OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Saint Bear since at least March 2021.[1]
S1018: Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b54992411aee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Unit 42 OutSteel SaintBot February 2022
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Open source URL -
[2]
Cadet Blizzard emerges as novel threat actor
Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
Open source URL -
[3]
Lorec53
(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
-
[4]
Storm-0587
(Citation: Cadet Blizzard emerges as novel threat actor)
-
[5]
TA471
(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
-
[6]
UAC-0056
(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
-
[7]
mitre-attack G1031Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.