S0615: SombRAT
Analyst context for executives and security teams
SombRAT matters because MITRE describes it as a Windows modular C++ backdoor used to download and execute additional payloads, including FIVEHANDS ransomware. For leaders, the decision point is not just “can we find SombRAT,” but whether endpoint, DNS, network, and incident-response processes can recognize a backdoor that performs discovery, stages and exfiltrates data, hides artifacts, and brings in follow-on tooling.
Executive priority
Prioritize SombRAT as a resilience and response-readiness scenario: a backdoor with collection, command-and-control, stealth, ingress tool transfer, and exfiltration behaviors can become the control point for broader intrusion activity. Executives should ask whether Windows endpoint visibility, DNS monitoring, egress controls, data-staging detection, and ransomware response playbooks are evidenced and tested—not assumed. The relationship to the CostaRicto campaign and references to FIVEHANDS make this especially relevant for organizations validating preparedness against financially motivated or espionage-linked intrusions, while avoiding any assumption of current exposure without local evidence.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the behaviors ATT&CK associates with SombRAT: Windows host discovery, process and service enumeration, file and directory discovery, user and system information discovery, local data collection/staging, custom archiving, C2 over DNS or non-application-layer protocols, proxy use, encrypted C2, DGA-style destination selection, ingress tool transfer, DLL injection, masquerading, argument spoofing, deobfuscation, and file deletion. Because MITRE provides no official detection text for this software, coverage should be behavior-led and correlated across endpoint process/memory telemetry, file activity, DNS/network logs, and egress events rather than dependent on a single malware signature.
Likely telemetry
- Windows endpoint process creation and parent/child process relationships
- Command-line and process argument telemetry, with awareness that argument spoofing may reduce reliability
- DLL load, remote thread, memory allocation, and process injection indicators where available
- Windows service, process, user, system, file, and directory discovery events
- File creation, modification, staging, archiving, decoding/deobfuscation, and deletion activity
Detection direction
- Build behavior chains rather than one-off alerts: discovery followed by local staging or archiving, then unusual egress is more decision-useful than any single command or file event.
- Tune DNS analytics for high-volume, algorithmic, rare, or newly observed domains, while accounting for legitimate dynamic DNS, CDN, and security-product traffic.
- Validate endpoint visibility for injection and masquerading behaviors, especially where process names, file paths, metadata, or command-line arguments appear benign but memory or load behavior is abnormal.
- Correlate file deletion after payload transfer, collection, or staging as potential cleanup activity; avoid treating deletion alone as conclusive.
- Hunt for unexpected encrypted outbound sessions or non-standard protocol usage from Windows endpoints that do not normally generate such traffic.
Mitigation priorities
- Start with visibility: ensure Windows endpoint, DNS, network egress, and file activity telemetry are collected and retained long enough for intrusion reconstruction.
- Constrain outbound communications with egress filtering, DNS governance, and proxy controls appropriate to business operations.
- Harden endpoints against unauthorized payload execution and tool transfer through application control, least privilege, and controlled administrative pathways.
- Improve detection and response for data staging, archiving, and exfiltration behaviors, including playbooks for rapid containment when C2 and collection are both observed.
- Test ransomware-adjacent response processes because MITRE notes SombRAT has been used to download and execute payloads including FIVEHANDS ransomware.
Analyst notes and limits
This take is based only on the supplied ATT&CK object, external references, and relationships. The most useful defender interpretation is behavior-centric: SombRAT is represented as a Windows backdoor with relationships spanning discovery, collection, stealth, command-and-control, ingress tool transfer, and exfiltration. The CostaRicto campaign relationship supplies historical context, not proof of current activity in any environment.
MITRE provides no official detection text, no explicit tactics on the malware object itself, and no local indicators, hashes, infrastructure, or prevalence data in the supplied fields. Technique relationships include platforms broader than SombRAT’s listed Windows platform; local validation should focus first on Windows while using the related techniques to guide behavior analytics. Any exposure, attribution, or active exploitation assessment requires environment-specific evidence.
SombRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
C0004: CostaRicto
CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 03901d19a120… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BlackBerry CostaRicto November 2020
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
Open source URL -
[2]
FireEye FiveHands April 2021
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Open source URL -
[3]
CISA AR21-126A FIVEHANDS May 2021
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
Open source URL -
[4]
mitre-attack S0615Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.