Description
[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://attack.mitre.org/software/S1018), and information stealer, [OutSteel](https://attack.mitre.org/software/S1017) in campaigns. [Saint Bear](https://attack.mitre.org/groups/G1031) typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) [Saint Bear](https://attack.mitre.org/groups/G1031) has previously been confused with [Ember Bear](https://attack.mitre.org/groups/G1003) operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Techniques Used (TTPs)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1203 — Exploitation for Client Execution (execution)
- T1059.007 — JavaScript (execution)
- T1589.002 — Email Addresses (reconnaissance)
- T1497 — Virtualization/Sandbox Evasion (defense-evasion, discovery)
- T1059.003 — Windows Command Shell (execution)
- T1553.002 — Code Signing (defense-evasion)
- T1204.001 — Malicious Link (execution)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
- T1656 — Impersonation (defense-evasion)
- T1059.001 — PowerShell (execution)
- T1204.002 — Malicious File (execution)
- T1059 — Command and Scripting Interpreter (execution)
- T1583.006 — Web Services (resource-development)
- T1608.001 — Upload Malware (resource-development)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1027.002 — Software Packing (defense-evasion)
- T1112 — Modify Registry (defense-evasion, persistence)
Total TTPs: 18