Home/ Threat Actors/ Ember Bear

🌐Ember Bear

🌐 Ember Bear is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 47 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1003) ↗

14Use cases

0Articles

47Techniques

0IOCs

About this actor (MITRE)

[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](htt

Known aliases

Ember BearUNC2589Bleeding BearDEV-0586Cadet BlizzardFrozenvistaUAC-0056

Top techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1003.002 · Security Account Manager

All other tracked techniques

T1003.004 · LSA Secrets T1005 · Data from Local System T1018 · Remote System Discovery T1021 · Remote Services T1036 · Masquerading T1036.005 · Match Legitimate Resource Name or Location T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1053.005 · Scheduled Task T1059.001 · PowerShell T1070.004 · File Deletion T1071.004 · DNS T1078.001 · Default Accounts T1090.003 · Multi-hop Proxy T1095 · Non-Application Layer Protocol T1110 · Brute Force T1110.003 · Password Spraying T1112 · Modify Registry T1114 · Email Collection T1119 · Automated Collection T1125 · Video Capture T1133 · External Remote Services T1190 · Exploit Public-Facing Application T1195 · Supply Chain Compromise T1203 · Exploitation for Client Execution T1210 · Exploitation of Remote Services T1491.002 · External Defacement T1505.003 · Web Shell T1550.002 · Pass the Hash T1552.001 · Credentials In Files T1560 · Archive Collected Data T1561.002 · Disk Structure Wipe T1567.002 · Exfiltration to Cloud Storage T1570 · Lateral Tool Transfer T1571 · Non-Standard Port T1572 · Protocol Tunneling T1583 · Acquire Infrastructure T1583.003 · Virtual Private Server T1585 · Establish Accounts T1588.001 · Malware T1588.005 · Exploits T1595.001 · Scanning IP Blocks T1595.002 · Vulnerability Scanning T1654 · Log Enumeration

Detection use cases (14)

Cadet Blizzard / Ember Bear WhisperGate stager — Discord CDN payload pull followed by raw PhysicalDrive write AI · profile S Ember Bear Impacket lateral movement — wmiexec/smbexec/atexec semaphore command line AI · profile SΣ 1Password activity from Tor exit node MITRE match 1Password failed sign-in burst MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match