Saint Bear

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 27/03/2026 01:13
Updated at: 27/03/2026 01:13
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 65 attack patterns (mitre), 5 malware, 1 countries, 23 indicators, 4 vulnerabilities (cve), 7 tool

Aliases

UNC2589 Bleeding Bear DEV-0586 Frozenvista Storm-0587 TA471 Lorec53 UAC-0056 Cadet Blizzard Ember Bear

Description

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://attack.mitre.org/software/S1018), and information stealer, [OutSteel](https://attack.mitre.org/software/S1017) in campaigns. [Saint Bear](https://attack.mitre.org/groups/G1031) typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) [Saint Bear](https://attack.mitre.org/groups/G1031) has previously been confused with [Ember Bear](https://attack.mitre.org/groups/G1003) operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.

Marking (TLP)

External references

Related entities

ngrok uses

The MITRE Corporation Confidence 100

[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public…
Responder uses

The MITRE Corporation Confidence 100

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.…
PsExec uses

The MITRE Corporation Confidence 100

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
Impacket uses

The MITRE Corporation Confidence 100

[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
BloodHound uses

The MITRE Corporation Confidence 100

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
Rclone uses

The MITRE Corporation Confidence 100

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
CrackMapExec uses

The MITRE Corporation Confidence 100

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…

Essential information

Aliases

Description

Marking (TLP)

External references

Related entities

Attack patterns (MITRE) (65)

Malware (5)

Countries (1)

Indicators (23)

Vulnerabilities (CVE) (4)

Tool (7)