{ "id": "656b2908-3db0-45bb-983c-3e166e7f5adf", "created_at": "2026-04-06T00:19:58.811191Z", "updated_at": "2026-04-10T03:35:37.65871Z", "deleted_at": null, "sha1_hash": "a4ae887f9352b2d920a4a34c4809fd2a87862d9d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45477, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:20:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool OutSteel\n Tool: OutSteel\nNames OutSteel\nCategory Malware\nType Info stealer\nDescription\n(Palo Alto) The OutSteel tool is a simple document stealer. It searches for potentially\nsensitive documents based on their file type and uploads the files to a remote server. The\nuse of OutSteel may suggest that this threat group’s primary goals involve data\ncollection on government organizations and companies involved with critical\ninfrastructure.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool OutSteel\nChanged Name Country Observed\nAPT groups\n SaintBear, Lorec53 2021-Oct 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c98f4341-0969-4dfb-a5b4-a37fe00c82f5\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c98f4341-0969-4dfb-a5b4-a37fe00c82f5\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c98f4341-0969-4dfb-a5b4-a37fe00c82f5" ], "report_names": [ "listgroups.cgi?u=c98f4341-0969-4dfb-a5b4-a37fe00c82f5" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434798, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4ae887f9352b2d920a4a34c4809fd2a87862d9d.pdf", "text": "https://archive.orkl.eu/a4ae887f9352b2d920a4a34c4809fd2a87862d9d.txt", "img": "https://archive.orkl.eu/a4ae887f9352b2d920a4a34c4809fd2a87862d9d.jpg" } }