SaintBear, Lorec53 - Threat Group Cards: A Threat Actor
Encyclopedia
Archived: 2026-04-05 14:16:16 UTC
Home > List all groups > SaintBear, Lorec53
 APT group: SaintBear, Lorec53
Names
SaintBear (ThreatBook)
Ember Bear (CrowdStrike)
TA471 (Proofpoint)
UNC2589 (FireEye)
Lorec53 (NSFOCUS)
UAC-0056 (CERT-UA)
Nodaria (Symantec)
FROZENVISTA (Google)
Storm-0587 (Microsoft)
Nascent Ursa (Palo Alto)
G1003 (MITRE)
Country Russia
Motivation Information theft and espionage
First seen 2021
Description
(NSFOCUS) In July 2021, several phishing documents created in Georgian were
discovered by NSFOCUS Security Labs. In these phishing documents, the attackers
used current political hotspots in Georgia to create bait and deliver a secret stealing
Trojan to specifically targeted victims aiming to steal various documents from their
computers. Correlation analysis shows that this phishing campaign and an earlier
phishing attack against the Ukrainian government came from the same unknown
threat entity, most likely composed of Russian hackers. From April to July of 2021,
the group launched several phishing attacks applying a large number of network
resources located in Russia. In order to facilitate ongoing tracking, NSFOCUS
Security Labs has tentatively dubbed the hacker group Lorec53 by extracting special
names from related Trojans.
Observed
Sectors: Energy, Financial, Government, Media, Transportation.
Countries: Georgia, Ukraine, USA.
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef
Page 1 of 2

Tools used Cobalt Strike, Graphiron, GraphSteel, GrimPlant, OutSteel, SaintBot.
Operations performed
Feb 2022
Spear Phishing Attacks Target Organizations in Ukraine, Payloads
Include the Document Stealer OutSteel and the Downloader SaintBot
Mar 2022
Ukraine’s CERT Warns Threat Actors For Fake AV Updates
Mar 2022
Cobalt Strikes again: UAC-0056 continues to target Ukraine in its
latest campaign
Oct 2022
Graphiron: New Russian Information Stealing Malware Deployed
Against Ukraine
Information
MITRE ATT&CK Playbook Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef
Page 2 of 2