S1018: Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.[1][2]
Analyst context for executives and security teams
Saint Bot is a Windows .NET downloader documented by ATT&CK and associated through relationships with Saint Bear and Ember Bear. Its business significance is that a downloader is often an early-stage intrusion component: the key risk is not only the first binary, but what it enables next through command-and-control, tool transfer, discovery, persistence, and evasion behaviors.
Executive priority
Prioritize Saint Bot as a validation case for Windows endpoint resilience, phishing-driven incident readiness, and SOC visibility across early intrusion chains. Leaders should ask whether teams can prove coverage for downloader execution, suspicious scheduled tasks, web-based command-and-control, process injection, registry and system discovery, and follow-on file transfer—not just whether a malware name is blocked.
Technical view
ATT&CK lists Saint Bot as Windows malware and maps it to behaviors including registry, user, process, network, system, file, and directory discovery; PowerShell, command shell, Visual Basic, and Native API execution; scheduled task persistence/execution; obfuscation, packing, masquerading, file deletion, and multiple process injection variants; web protocol C2; local data collection; and ingress tool transfer. SOC and IR teams should validate detections around behavior clusters rather than relying on a Saint Bot signature alone, especially because packing, masquerading, process hollowing, DLL injection, APC injection, and file deletion can reduce artifact-based visibility.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell and script execution logs
- Scheduled task creation, modification, and execution events
- Windows Registry query/access telemetry where available
- File creation, deletion, rename, and directory enumeration events
Detection direction
- Correlate downloader-like execution with rapid discovery activity: registry queries, user discovery, process discovery, system information discovery, network configuration discovery, and file/directory enumeration.
- Tune for suspicious scheduled task creation or recurring execution on Windows, especially when linked to unusual parent processes, recently written binaries, or script interpreters.
- Validate visibility for PowerShell, cmd, Visual Basic, and Native API-mediated execution paths; gaps in script block logging, command-line capture, or EDR process lineage will materially reduce coverage.
- Look for evasion patterns: packed or obfuscated files, names or locations approximating legitimate resources, process hollowing, DLL injection, APC injection, and post-execution file deletion.
- Review web-protocol outbound traffic in context of host behavior. HTTP/S alone is noisy; prioritize rare destinations, new processes initiating connections, and connections following suspicious execution or tool transfer.
Mitigation priorities
- Harden Windows endpoint controls first: restrict unnecessary script execution, monitor or control PowerShell and command shell abuse, and ensure endpoint protection can inspect packed or obfuscated binaries.
- Strengthen persistence controls by monitoring and governing scheduled task creation and changes.
- Improve egress governance and logging for web-protocol command-and-control and external file download paths without assuming all HTTP/S traffic is benign.
- Ensure IR playbooks treat a Saint Bot finding as a possible staging event: scope for downloaded tools, discovery output, scheduled tasks, injected processes, deleted artifacts, and outbound communications.
- Use this object to test compliance evidence for endpoint logging, malware prevention, change monitoring, and incident response readiness on Windows systems.
Analyst notes and limits
The ATT&CK object has no official detection text and no malware-level tactics specified, so this take is driven by the official description, Windows platform field, external references, and ATT&CK relationships to techniques and groups. The relationships indicate a broad behavior set consistent with a downloader and follow-on enablement, but each behavior should be validated against local telemetry before drawing incident conclusions.
No official detection guidance, aliases, labels, or explicit malware tactics were supplied. Related technique platform lists include non-Windows platforms because they are generic ATT&CK techniques; Saint Bot itself is only supported here as Windows malware. External reporting is referenced but not expanded beyond the supplied citation metadata.
Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
G1031: Saint Bear
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 883e9e5363a8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes Saint Bot April 2021
Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
Open source URL -
[2]
Palo Alto Unit 42 OutSteel SaintBot February 2022
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Open source URL -
[3]
mitre-attack S1018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.