6 malware familiesExploits CVEs in the wild

SaintBear

Also known asSaintBear

SaintBear is referenced in the provided content only as an alias/name appearing in a Google "Fog of war: how the Ukraine conflict transformed the cyber threat landscape" context alongside APT28, Ghostwriter, Sandworm, and Turla. No additional high-confidence details about SaintBear’s targets, tactics, techniques, malware, attribution, nation-state affiliation, or sub-groups are directly provided in the content. Known alias in the content: saintbear.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇺🇦 Ukraine

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Cobalt StrikeOnce the user opens the link two files are downloaded, one is Cobalt Strike Beacon...1Mar 18, 2026

ElephantA recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses.1Mar 18, 2026

GraphSteelThey named the two components GraphSteel and GrimPlant... Client Component (GraphSteel) The “client” component is a credential and file stealer.1Mar 18, 2026

GrimPlant“oracle-java.exe” (GrimPlant backdoor)... Implant Component (GrimPlant) GrimPlant is a backdoor that allows the operator to execute arbitrary PowerShell scripts on the infected machine.1Mar 18, 2026

OutSteel"The OutSteel tool is a simple document stealer. It searches for potentially sensitive documents based on their file type and uploads the files to a remote server."1Mar 18, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2017-11882Microsoft Office Equation Editor Remote Code ExecutionIn the wildEvidence1

"Even the Word documents attached to emails have used a variety of techniques, including malicious macros, embedded JavaScript and the exploitation of CVE-2017-11882 to install payloads onto the system." Also: "!!! COVID-21.doc ... Delivery document exploits CVE-2017-11882 to download www.baiden00[.]ru/win21st.txt"

IOCS

Observables

238 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

238 IOCsView more in app

hash.sha256

134 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+126

Domains

65 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+57

uri

15 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+7

hash.md5

12 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+4

ip.v4

11 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+3

hash.sha1

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

malpediaNews

May 14, 2026

Turla (Threat Actor)

Named threat actor referenced in reporting on the Ukraine conflict.

malpediaNews

Feb 1, 2026

APT28 (Threat Actor)

Referenced as part of the Ukraine-conflict-era threat landscape; no further details provided in this content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables238

Domains, IPs, and hashes tied to this actor, refreshed continuously.