Introduction
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities. Palo Alto Unit 42 OutSteel SaintBot February 2022 Cadet Blizzard emerges as novel threat actor Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Activities and Tactics
Country of Origin: 🇷🇺 Russia
First Seen: 2022
Last Activity: 2022
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] Palo Alto Unit 42 OutSteel SaintBot February 2022 [3] Cadet Blizzard emerges as novel threat actor