Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Saint Bear

🌐Saint Bear

🌐 Saint Bear is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 18 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1031) ↗
14Use cases
0Articles
18Techniques
0IOCs

About this actor (MITRE)

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://attack.mitre.org/software/S1018), and information stealer, [OutSteel](https://attack.mitre.org/software/S1017) in campaigns. [Saint Bear](https://attack.mitre.org/groups/G1031) typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSte

Known aliases

Saint BearStorm-0587TA471UAC-0056Lorec53

Top techniques

T1027.002 · Software PackingT1027.013 · Encrypted/Encoded FileT1059 · Command and Scripting Interpreter

All other tracked techniques

T1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.007 · JavaScriptT1112 · Modify RegistryT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1497 · Virtualization/Sandbox EvasionT1553.002 · Code SigningT1566.001 · Spearphishing AttachmentT1583.006 · Web ServicesT1589.002 · Email AddressesT1608.001 · Upload MalwareT1684.001 · ImpersonationT1685 · Disable or Modify Tools

Detection use cases (14)

Saint Bear (UAC-0056) Saint Bot / OutSteel delivery — Office or browser spawns script interpreter that drops PE to %AppData%/%Temp% AI · profile S Saint Bot Run-key persistence — script interpreter writes %AppData% binary path to HKCU\...\Run AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match