S0615: SombRAT
Analyst context for executives and security teams
SombRAT matters because MITRE describes it as a Windows modular C++ backdoor used to download and execute additional payloads, including FIVEHANDS ransomware. For leaders, the decision point is not just “can we find SombRAT,” but whether endpoint, DNS, network, and incident-response processes can recognize a backdoor that performs discovery, stages and exfiltrates data, hides artifacts, and brings in follow-on tooling.
Executive priority
Prioritize SombRAT as a resilience and response-readiness scenario: a backdoor with collection, command-and-control, stealth, ingress tool transfer, and exfiltration behaviors can become the control point for broader intrusion activity. Executives should ask whether Windows endpoint visibility, DNS monitoring, egress controls, data-staging detection, and ransomware response playbooks are evidenced and tested—not assumed. The relationship to the CostaRicto campaign and references to FIVEHANDS make this especially relevant for organizations validating preparedness against financially motivated or espionage-linked intrusions, while avoiding any assumption of current exposure without local evidence.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the behaviors ATT&CK associates with SombRAT: Windows host discovery, process and service enumeration, file and directory discovery, user and system information discovery, local data collection/staging, custom archiving, C2 over DNS or non-application-layer protocols, proxy use, encrypted C2, DGA-style destination selection, ingress tool transfer, DLL injection, masquerading, argument spoofing, deobfuscation, and file deletion. Because MITRE provides no official detection text for this software, coverage should be behavior-led and correlated across endpoint process/memory telemetry, file activity, DNS/network logs, and egress events rather than dependent on a single malware signature.
Likely telemetry
- Windows endpoint process creation and parent/child process relationships
- Command-line and process argument telemetry, with awareness that argument spoofing may reduce reliability
- DLL load, remote thread, memory allocation, and process injection indicators where available
- Windows service, process, user, system, file, and directory discovery events
- File creation, modification, staging, archiving, decoding/deobfuscation, and deletion activity
Detection direction
- Build behavior chains rather than one-off alerts: discovery followed by local staging or archiving, then unusual egress is more decision-useful than any single command or file event.
- Tune DNS analytics for high-volume, algorithmic, rare, or newly observed domains, while accounting for legitimate dynamic DNS, CDN, and security-product traffic.
- Validate endpoint visibility for injection and masquerading behaviors, especially where process names, file paths, metadata, or command-line arguments appear benign but memory or load behavior is abnormal.
- Correlate file deletion after payload transfer, collection, or staging as potential cleanup activity; avoid treating deletion alone as conclusive.
- Hunt for unexpected encrypted outbound sessions or non-standard protocol usage from Windows endpoints that do not normally generate such traffic.
Mitigation priorities
- Start with visibility: ensure Windows endpoint, DNS, network egress, and file activity telemetry are collected and retained long enough for intrusion reconstruction.
- Constrain outbound communications with egress filtering, DNS governance, and proxy controls appropriate to business operations.
- Harden endpoints against unauthorized payload execution and tool transfer through application control, least privilege, and controlled administrative pathways.
- Improve detection and response for data staging, archiving, and exfiltration behaviors, including playbooks for rapid containment when C2 and collection are both observed.
- Test ransomware-adjacent response processes because MITRE notes SombRAT has been used to download and execute payloads including FIVEHANDS ransomware.
Analyst notes and limits
This take is based only on the supplied ATT&CK object, external references, and relationships. The most useful defender interpretation is behavior-centric: SombRAT is represented as a Windows backdoor with relationships spanning discovery, collection, stealth, command-and-control, ingress tool transfer, and exfiltration. The CostaRicto campaign relationship supplies historical context, not proof of current activity in any environment.
MITRE provides no official detection text, no explicit tactics on the malware object itself, and no local indicators, hashes, infrastructure, or prevalence data in the supplied fields. Technique relationships include platforms broader than SombRAT’s listed Windows platform; local validation should focus first on Windows while using the related techniques to guide behavior analytics. Any exposure, attribution, or active exploitation assessment requires environment-specific evidence.
SombRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | SombRAT can SSL encrypt C2 traffic.CitationBlackBerry CostaRicto November 2020CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1124 | System Time Discovery | SombRAT can execute |
| Enterprise | T1057 | Process Discovery | SombRAT can use the |
| Enterprise | T1090 | Proxy | SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SombRAT can run |
| Enterprise | T1005 | Data from Local System | SombRAT has collected data and files from a compromised host.CitationBlackBerry CostaRicto November 2020CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1106 | Native API | SombRAT has the ability to respawn itself using |
| Enterprise | T1027 | Obfuscated Files or Information | SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.CitationBlackBerry CostaRicto November 2020CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | SombRAT has the ability to run |
| Enterprise | T1105 | Ingress Tool Transfer | SombRAT has the ability to download and execute additional payloads.CitationBlackBerry CostaRicto November 2020CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1095 | Non-Application Layer Protocol | SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.CitationBlackBerry CostaRicto November 2020CitationFireEye FiveHands April 2021 |
| Enterprise | T1564.010 | Process Argument Spoofing Sub-technique | SombRAT has the ability to modify its process memory to hide process command-line arguments.CitationFireEye FiveHands April 2021 |
| Enterprise | T1033 | System Owner/User Discovery | SombRAT can execute |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | SombRAT has encrypted collected data with AES-256 using a hardcoded key.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SombRAT has encrypted its C2 communications with AES.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SombRAT has uploaded collected data and files from a compromised host to its C2 server.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1071.004 | DNS Sub-technique | SombRAT can communicate over DNS with the C2 server.CitationBlackBerry CostaRicto November 2020CitationFireEye FiveHands April 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | SombRAT can store harvested data in a custom database under the %TEMP% directory.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | SombRAT can use a custom DGA to generate a subdomain for C2.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1007 | System Service Discovery | SombRAT can enumerate services on a victim machine.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | SombRAT can execute |
| Enterprise | T1083 | File and Directory Discovery | SombRAT can execute |
| Enterprise | T1036 | Masquerading | SombRAT can use a legitimate process name to hide itself.CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1082 | System Information Discovery | SombRAT can execute |
Groups, software, and campaigns
C0004: CostaRicto
CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 03901d19a120… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BlackBerry CostaRicto November 2020
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
Open source URL -
[2]
FireEye FiveHands April 2021
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Open source URL -
[3]
CISA AR21-126A FIVEHANDS May 2021
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
Open source URL -
[4]
mitre-attack S0615Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.