Threat Actor Profile
Description
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (18)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Saint Bear', 'Storm-0587', 'TA471', 'UAC-0056', 'Lorec53'],
'created': '2024-05-25T16:11:54.881Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Saint Bear](https://attack.mitre.org/groups/G1031) is a '
'Russian-nexus threat actor active since early 2021, primarily '
'targeting entities in Ukraine and Georgia. The group is '
'notable for a specific remote access tool, [Saint '
'Bot](https://attack.mitre.org/software/S1018), and '
'information stealer, '
'[OutSteel](https://attack.mitre.org/software/S1017) in '
'campaigns. [Saint '
'Bear](https://attack.mitre.org/groups/G1031) typically relies '
'on phishing or web staging of malicious documents and related '
'file types for initial access, spoofing government or related '
'entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot '
'February 2022 )(Citation: Cadet Blizzard emerges as novel '
'threat actor) [Saint '
'Bear](https://attack.mitre.org/groups/G1031) has previously '
'been confused with [Ember '
'Bear](https://attack.mitre.org/groups/G1003) operations, but '
'analysis of behaviors, tools, and targeting indicates these '
'are distinct clusters.',
'external_references': [{'external_id': 'G1031',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1031'},
{'description': '(Citation: Cadet Blizzard emerges as '
'novel threat actor)',
'source_name': 'Storm-0587'},
{'description': '(Citation: Palo Alto Unit 42 '
'OutSteel SaintBot February 2022 )',
'source_name': 'TA471'},
{'description': '(Citation: Palo Alto Unit 42 '
'OutSteel SaintBot February 2022 )',
'source_name': 'UAC-0056'},
{'description': '(Citation: Palo Alto Unit 42 '
'OutSteel SaintBot February 2022 )',
'source_name': 'Lorec53'},
{'description': 'Microsoft Threat Intelligence. '
'(2023, June 14). Cadet Blizzard '
'emerges as a novel and distinct '
'Russian threat actor. Retrieved July '
'10, 2023.',
'source_name': 'Cadet Blizzard emerges as novel '
'threat actor',
'url': 'https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/'},
{'description': 'Unit 42. (2022, February 25). Spear '
'Phishing Attacks Target '
'Organizations in Ukraine, Payloads '
'Include the Document Stealer '
'OutSteel and the Downloader '
'SaintBot. Retrieved June 9, 2022.',
'source_name': 'Palo Alto Unit 42 OutSteel SaintBot '
'February 2022 ',
'url': 'https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/'}],
'id': 'intrusion-set--674582ec-51c4-42ce-b409-797239e37a2a',
'modified': '2024-08-12T17:32:47.430Z',
'name': 'Saint Bear',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.0'}