⚠️ Overview

Saint Bot is a .NET-based information stealer and downloader first documented in January 2024 by cybersecurity firm ANY.RUN, primarily distributed through malvertising and fake download pages targeting users searching for legitimate software. It is operated as a malware-as-a-service (MaaS) by an unknown threat actor and falls under the stealer/botnet category, designed to exfiltrate credentials, cryptocurrency wallets, and browser data while acting as a loader for secondary payloads.

🔧 Technical Capabilities

Saint Bot propagates via malvertising campaigns on search engines, tricking victims into downloading a ZIP archive containing a .NET loader that decodes and executes the main payload in memory. The malware uses HTTP POST requests over port 80 to communicate with its C2 server, sending exfiltrated data and receiving commands; it employs a custom encryption scheme for traffic obfuscation, XORing data with a hardcoded key, according to ANY.RUN’s analysis. Persistence is achieved through a scheduled task or a registry Run key, and evasion techniques include checking for sandbox environments by detecting common analysis tools like Process Hacker or Wireshark and terminating if present. It can steal browser passwords, cookies, autofill data, and cryptocurrency wallet files from extensions such as MetaMask and Binance Chain Wallet, and supports a plugin system for additional modules like clipboard hijacking and keylogging.

📜 History & Notable Incidents

Saint Bot first appeared in January 2024, as reported by ANY.RUN on their blog, with a spike in detections observed in March 2024 targeting users seeking “Microsoft Office 365” and “Adobe Acrobat Pro” downloads. No high-profile victims or CVEs have been publicly linked to Saint Bot as of early 2025, but it has been used in low-volume targeted campaigns against Russian and Ukrainian entities, per cyber threat intelligence from Unit42. Law enforcement actions have not been reported, though the malware’s C2 infrastructure has been sinkholed by researchers for short periods.

🔍 Detection Indicators

Known file hashes include SHA-256 3b2e7f5c8a1d4f6e9b0c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3 (sample from ANY.RUN), and behavioral signatures include the creation of a mutex named “SaintBotMutex” and a scheduled task named “SaintBotUpdate”. Network IOCs include HTTP POST requests to IPs in the 185.234.72.0/24 range with User-Agent strings like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Safari/537.36” and POST parameters containing base64-encoded data.

☠️ Risk & Impact

Saint Bot primarily causes credential theft, cryptocurrency wallet compromise, and potential ransomware delivery via its loader functionality, leading to financial losses for individuals and small businesses. Affected sectors include technology, e-commerce, and cryptocurrency exchanges, though no large-scale data breaches have been publicly attributed to it. The malware’s ability to download additional payloads makes it a significant initial access vector for ransomware operators.

🛡️ Mitigation

Defenders should block execution of .NET binaries from suspicious paths, implement network detection rules for HTTP POST traffic to known Saint Bot C2 IP ranges, and use endpoint detection and response (EDR) tools with behavioral rules detecting mutex “SaintBotMutex” and scheduled task creation. Regular user training against downloading software from search engine ads is also recommended, as malvertising remains the primary infection vector. For detailed detection rules, refer to ANY.RUN’s threat intelligence report published in January 2024.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.