S0613: PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[1]
Analyst context for executives and security teams
PS1 is a Windows loader documented by ATT&CK as being used in the CostaRicto campaign to deploy 64-bit backdoors. Its practical significance is not the name of the malware, but the combination of behaviors around it: PowerShell execution, encoded or encrypted content, decoding, DLL injection, and tool transfer. Those behaviors often sit in gaps between endpoint logging, script visibility, and network/file-transfer monitoring.
Executive priority
Treat this as a coverage-validation item for Windows endpoint defense and incident readiness, especially where espionage risk, regulated data, or financial operations matter. Leaders should ask whether the organization can prove it captures PowerShell activity, suspicious file decoding, process/DLL injection signals, and external tool-transfer evidence well enough to support an investigation. Because ATT&CK provides no official detection text for PS1, confidence should come from tested telemetry and response evidence, not from assuming product coverage.
Technical view
For SOC, detection engineering, and IR teams, map PS1-related validation to the supplied relationships: T1059.001 PowerShell, T1027.013 Encrypted/Encoded File, T1140 Deobfuscate/Decode Files or Information, T1055.001 DLL Injection, and T1105 Ingress Tool Transfer. On Windows systems, validate process ancestry, command-line capture, PowerShell logging, file creation/modification, DLL load or injection telemetry, and network/file-transfer artifacts. Hunt and detections should emphasize chained behavior rather than a single indicator, since the official object does not provide detection logic or aliases.
Likely telemetry
- Windows process creation and parent/child process relationships
- PowerShell command-line, script, and execution logging where enabled
- File creation, modification, and staging artifacts for encoded or encrypted content
- Evidence of decoding or deobfuscation activity on host
- DLL load, memory, or process-injection telemetry from endpoint controls
Detection direction
- Validate visibility into PowerShell execution, including command line and script content where policy permits.
- Correlate encoded/encrypted file artifacts with subsequent decode/deobfuscation and execution events.
- Tune for suspicious DLL injection patterns while accounting for legitimate software and security tooling that may inject DLLs.
- Look for tool-transfer behavior followed by local execution or staging on Windows hosts.
- Use relationship-driven behavior chains rather than relying on malware name matching, because no aliases or official detection guidance are supplied.
Mitigation priorities
- Prioritize PowerShell governance: restrict unnecessary use, monitor administrative use, and require logging appropriate to the environment.
- Use application control, script control, and least-privilege practices to reduce unauthorized loader execution paths.
- Harden endpoint monitoring for DLL injection, unusual process behavior, and suspicious file staging.
- Control and monitor external file/tool transfer paths, including egress and download activity relevant to command-and-control workflows.
- Exercise IR playbooks to ensure teams can preserve PowerShell logs, process trees, staged files, and network evidence during a suspected loader/backdoor incident.
Analyst notes and limits
The object is tied by ATT&CK relationship to the CostaRicto campaign, described as suspected hacker-for-hire cyber espionage targeting multiple industries worldwide, with many financial institutions noted. This take uses only the supplied ATT&CK description, external reference, and relationship context; it does not assert current activity, attribution beyond the supplied campaign relationship, or guaranteed detectability.
ATT&CK provides no official detection section, no aliases, no malware labels, and no object-level tactics for PS1. Local conclusions require environment-specific evidence such as enabled Windows logging, endpoint telemetry depth, network retention, and known administrative PowerShell baselines.
PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | CostaBricks can download additional payloads onto a compromised host.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | PS1 can inject its payload DLL Into memory.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | PS1 can utilize a PowerShell loader.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PS1 is distributed as a set of encrypted files and scripts.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.CitationBlackBerry CostaRicto November 2020 |
Groups, software, and campaigns
C0004: CostaRicto
CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 0e3318babbb0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BlackBerry CostaRicto November 2020
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
Open source URL -
[2]
mitre-attack S0613Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.