S1018: Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.[1][2]
Analyst context for executives and security teams
Saint Bot is a Windows .NET downloader documented by ATT&CK and associated through relationships with Saint Bear and Ember Bear. Its business significance is that a downloader is often an early-stage intrusion component: the key risk is not only the first binary, but what it enables next through command-and-control, tool transfer, discovery, persistence, and evasion behaviors.
Executive priority
Prioritize Saint Bot as a validation case for Windows endpoint resilience, phishing-driven incident readiness, and SOC visibility across early intrusion chains. Leaders should ask whether teams can prove coverage for downloader execution, suspicious scheduled tasks, web-based command-and-control, process injection, registry and system discovery, and follow-on file transfer—not just whether a malware name is blocked.
Technical view
ATT&CK lists Saint Bot as Windows malware and maps it to behaviors including registry, user, process, network, system, file, and directory discovery; PowerShell, command shell, Visual Basic, and Native API execution; scheduled task persistence/execution; obfuscation, packing, masquerading, file deletion, and multiple process injection variants; web protocol C2; local data collection; and ingress tool transfer. SOC and IR teams should validate detections around behavior clusters rather than relying on a Saint Bot signature alone, especially because packing, masquerading, process hollowing, DLL injection, APC injection, and file deletion can reduce artifact-based visibility.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell and script execution logs
- Scheduled task creation, modification, and execution events
- Windows Registry query/access telemetry where available
- File creation, deletion, rename, and directory enumeration events
Detection direction
- Correlate downloader-like execution with rapid discovery activity: registry queries, user discovery, process discovery, system information discovery, network configuration discovery, and file/directory enumeration.
- Tune for suspicious scheduled task creation or recurring execution on Windows, especially when linked to unusual parent processes, recently written binaries, or script interpreters.
- Validate visibility for PowerShell, cmd, Visual Basic, and Native API-mediated execution paths; gaps in script block logging, command-line capture, or EDR process lineage will materially reduce coverage.
- Look for evasion patterns: packed or obfuscated files, names or locations approximating legitimate resources, process hollowing, DLL injection, APC injection, and post-execution file deletion.
- Review web-protocol outbound traffic in context of host behavior. HTTP/S alone is noisy; prioritize rare destinations, new processes initiating connections, and connections following suspicious execution or tool transfer.
Mitigation priorities
- Harden Windows endpoint controls first: restrict unnecessary script execution, monitor or control PowerShell and command shell abuse, and ensure endpoint protection can inspect packed or obfuscated binaries.
- Strengthen persistence controls by monitoring and governing scheduled task creation and changes.
- Improve egress governance and logging for web-protocol command-and-control and external file download paths without assuming all HTTP/S traffic is benign.
- Ensure IR playbooks treat a Saint Bot finding as a possible staging event: scope for downloaded tools, discovery output, scheduled tasks, injected processes, deleted artifacts, and outbound communications.
- Use this object to test compliance evidence for endpoint logging, malware prevention, change monitoring, and incident response readiness on Windows systems.
Analyst notes and limits
The ATT&CK object has no official detection text and no malware-level tactics specified, so this take is driven by the official description, Windows platform field, external references, and ATT&CK relationships to techniques and groups. The relationships indicate a broad behavior set consistent with a downloader and follow-on enablement, but each behavior should be validated against local telemetry before drawing incident conclusions.
No official detection guidance, aliases, labels, or explicit malware tactics were supplied. Related technique platform lists include non-Windows platforms because they are generic ATT&CK techniques; Saint Bot itself is only supported here as Windows malware. External reporting is referenced but not expanded beyond the supplied citation metadata.
Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Saint Bot has used `regsvr32` to execute scripts.CitationMalwarebytes Saint Bot April 2021CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Saint Bot has injected its DLL component into `EhStorAurhn.exe`.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Saint Bot can collect the IP address of a victim machine.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Saint Bot has attempted to bypass UAC using `fodhelper.exe` to escalate privileges.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | Saint Bot has been obfuscated to help avoid detection.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1036 | Masquerading | Saint Bot has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection.CitationMalwarebytes Saint Bot April 2021CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Saint Bot can download additional files onto a compromised host.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Saint Bot has used HTTP for C2 communications.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1082 | System Information Discovery | Saint Bot can identify the OS version, CPU, and other details from a victim's machine.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Saint Bot has used `cmd.exe` and `.bat` scripts for execution.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Saint Bot has used the command `timeout 20` to pause the execution of its initial loader.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1012 | Query Registry | Saint Bot has used `check_registry_keys` as part of its environmental checks.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Saint Bot has created a scheduled task named "Maintenance" to establish persistence.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1106 | Native API | Saint Bot has used different API calls, including `GetProcAddress`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateProcessA`, and `SetThreadContext`.CitationMalwarebytes Saint Bot April 2021CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Saint Bot has relied on users to execute a malicious attachment delivered via spearphishing.CitationMalwarebytes Saint Bot April 2021CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | Saint Bot has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Saint Bot has been distributed through malicious links contained within spearphishing emails.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Saint Bot has been packed using a dark market crypter.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Saint Bot has used `.vbs` scripts for execution.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | Saint Bot has run several virtual machine and sandbox checks, including checking if `Sbiedll.dll` is present in a list of loaded modules, comparing the machine name to `HAL9TH` and the user name to `JohnDoe`, and checking the BIOS version for known virtual machine identifiers.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Saint Bot has used PowerShell for execution.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1622 | Debugger Evasion | Saint Bot has used `is_debugger_present` as part of its environmental checks.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1614 | System Location Discovery | Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.CitationMalwarebytes Saint Bot April 2021CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Saint Bot has established persistence by being copied to the Startup directory or through the `\Software\Microsoft\Windows\CurrentVersion\Run` registry key.CitationMalwarebytes Saint Bot April 2021CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Saint Bot can deobfuscate strings and files for execution.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | |
| Enterprise | T1057 | Process Discovery | Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name `dfrgui.exe`.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Saint Bot has been distributed as malicious attachments within spearphishing emails.CitationMalwarebytes Saint Bot April 2021CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Saint Bot has been disguised as a legitimate executable, including as Windows SDK.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1083 | File and Directory Discovery | Saint Bot can search a compromised host for specific files.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1574 | Hijack Execution Flow | Saint Bot will use the malicious file |
| Enterprise | T1033 | System Owner/User Discovery | Saint Bot can collect the username from a compromised host.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1218.004 | InstallUtil Sub-technique | Saint Bot had used `InstallUtil.exe` to download and deploy executables.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Saint Bot has used Base64 to encode its C2 communications.CitationMalwarebytes Saint Bot April 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1005 | Data from Local System | Saint Bot can collect files and information from a compromised host.CitationMalwarebytes Saint Bot April 2021 |
Groups, software, and campaigns
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
G1031: Saint Bear
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 883e9e5363a8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes Saint Bot April 2021
Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
Open source URL -
[2]
Palo Alto Unit 42 OutSteel SaintBot February 2022
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Open source URL -
[3]
mitre-attack S1018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.