The SaintBear threat group is targeting Ukrainian organizations using macro-embedded documents in its latest campaign. It is delivering a number of payloads that contain the term Elephant.

About the operation

According to Malwarebytes, the threat group targeted various entities in Ukraine, including a private TV channel, ICTV.
  • The recent campaign uses spear-phishing emails laden with macro-embedded Excel documents.
  • The phishing emails are being propagated from at least March 23 to March 28, with the subject ‘wage arrears’ and the body with a similar message.

Elephant in the room

When the macros get executed, various payloads are downloaded from the attacker's server.
  • For initial executable deployment, an Elephant dropper (base-update[.]exe) is used. It is a simple dropper written in the Go programming language and additionally signed with a stolen Microsoft certificate.
  • The dropper then executes Elephant Downloader (java-sdk.exe), which is also written in Go. The payload maintains persistence and deploys the next two stages.
  • Another important payload is Elephant Implant (aka GrimPlant backdoor). It communicates with the C2 on port 80 and gets an encrypted C2 address from the parent process.
  • The last payload tracked as the GraphSteel backdoor is named Elephant Client. This final payload is a data stealer that collects data and then exfiltrates it into the server of attackers.


SaintBear has been actively performing cyberespionage campaigns aimed at Ukraine since 2021 and seems to be updating its arsenal at regular intervals. For better protection, organizations are recommended to use email gateways, reliable anti-malware, and a firewall. Further, provide proper training to employees to identify phishing emails.

Cyware Publisher