Saint Bot has attempted to bypass UAC usingfodhelper.exe to escalate privileges.^[2]

Saint Bot has used HTTP for C2 communications.^[1]

Saint Bot has established persistence by being copied to the Startup directory or through the\Software\Microsoft\Windows\CurrentVersion\Run registry key.^[1][2]

Saint Bot has used PowerShell for execution.^[2]

Saint Bot has usedcmd.exe and.bat scripts for execution.^[2]

Saint Bot has used.vbs scripts for execution.^[2]

Saint Bot has used Base64 to encode its C2 communications.^[1]

Saint Bot can collect files and information from a compromised host.^[1]

Saint Bot has usedis_debugger_present as part of its environmental checks.^[1]

Saint Bot can deobfuscate strings and files for execution.^[1]

Saint Bot can search a compromised host for specific files.^[2]

Saint Bot will use the malicious fileslideshow.mp4 if present to load the core API provided byntdll.dll to avoid any hooks placed on calls to the originalntdll.dll file by endpoint detection and response or antimalware software.^[2]

Saint Bot can run a batch script nameddel.bat to remove anySaint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.^[2]

Saint Bot can download additional files onto a compromised host.^[2]

Saint Bot has renamed malicious binaries aswallpaper.mp4 andslideshow.mp4 to avoid detection.^[1][2]

Saint Bot has been disguised as a legitimate executable, including as Windows SDK.^[1]

Saint Bot has used different API calls, includingGetProcAddress,VirtualAllocEx,WriteProcessMemory,CreateProcessA, andSetThreadContext.^[1][2]

Saint Bot has been obfuscated to help avoid detection.^[2]

Saint Bot has been packed using a dark market crypter.^[1]

Saint Bot has been distributed as malicious attachments within spearphishing emails.^[1][2]

Saint Bot has been distributed through malicious links contained within spearphishing emails.^[2]

Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process namedfrgui.exe.^[2]

Saint Bot has injected its DLL component intoEhStorAurhn.exe.^[1]

Saint Bot has written its payload into a newly-createdEhStorAuthn.exe process usingZwWriteVirtualMemory and executed it usingNtQueueApcThread andZwAlertResumeThread.^[1]

TheSaint Bot loader has used API calls to spawnMSBuild.exe in a suspended state before injecting the decryptedSaint Bot binary into it.^[2]

Saint Bot has usedcheck_registry_keys as part of its environmental checks.^[1]

Saint Bot has created a scheduled task named "Maintenance" to establish persistence.^[1]

Saint Bot had usedInstallUtil.exe to download and deploy executables.^[1]

Saint Bot has usedregsvr32 to execute scripts.^[1][2]

Saint Bot can identify the OS version, CPU, and other details from a victim's machine.^[1]

Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.^[1][2]

Saint Bot can collect the IP address of a victim machine.^[1]

Saint Bot can collect the username from a compromised host.^[1]

Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.^[2]

Saint Bot has relied on users to execute a malicious attachment delivered via spearphishing.^[1][2]

Saint Bot has run several virtual machine and sandbox checks, including checking ifSbiedll.dll is present in a list of loaded modules, comparing the machine name toHAL9TH and the user name toJohnDoe, and checking the BIOS version for known virtual machine identifiers.^[2]

Saint Bot has used the commandtimeout 20 to pause the execution of its initial loader.^[2]

Ember Bear has usedSaint Bot during operations, but is distinct from the threat actorSaint Bear.^[3]

Saint Bot is closely correlated withSaint Bear operations as a common post-exploitation toolset.^[2]