{ "id": "06522610-940f-4ba9-b86b-6dd1ddd61796", "created_at": "2026-04-06T01:31:32.565627Z", "updated_at": "2026-04-10T03:35:37.648031Z", "deleted_at": null, "sha1_hash": "2310646298de8b50033f2f05e83ff0632de57c73", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43647, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 01:07:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SaintBot\n Tool: SaintBot\nNames\nSaintBot\nSaint Bot\nCategory Malware\nType Downloader\nDescription\n(Palo Alto) The SaintBot tool is a downloader that allows the threat actors to download and\nrun additional tools on the infected system. SaintBot provides the actors persistent access to\nthe system while granting the ability to further their capabilities.\nInformation Malpedia Last change to this tool card: 05 April 2022\nDownload this tool card in JSON format\nAll groups using tool SaintBot\nChanged Name Country Observed\nAPT groups\n SaintBear, Lorec53 2021-Oct 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=19bd8252-dd80-4fe5-8fd8-5cfe333e889b\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=19bd8252-dd80-4fe5-8fd8-5cfe333e889b\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=19bd8252-dd80-4fe5-8fd8-5cfe333e889b" ], "report_names": [ "listgroups.cgi?u=19bd8252-dd80-4fe5-8fd8-5cfe333e889b" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439092, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2310646298de8b50033f2f05e83ff0632de57c73.pdf", "text": "https://archive.orkl.eu/2310646298de8b50033f2f05e83ff0632de57c73.txt", "img": "https://archive.orkl.eu/2310646298de8b50033f2f05e83ff0632de57c73.jpg" } }