{ "id": "696f3cbd-c28a-4f67-af34-ca1930b713c1", "created_at": "2026-04-06T03:37:39.110246Z", "updated_at": "2026-04-10T13:12:07.548648Z", "deleted_at": null, "sha1_hash": "00b291be1c84e620e4d6bdce43fb10eb6196956c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46836, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:27:16 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CostaBricks\n Tool: CostaBricks\nNames CostaBricks\nCategory Malware\nType Loader\nDescription\n(BlackBerry) The loader used with 32-bit backdoors is more technically compelling. It\nimplements a simple custom-built virtual machine mechanism that will execute an\nembedded bytecode to decode and inject the payload into memory.\nThis attempt at obfuscation, although not new, is rather uncommon in relation to\ntargeted attacks. Code virtualization has been most prevalent in commercial software\nprotectors which use much more advanced solutions; simpler virtual machines are\nsometimes also featured in off-the-shelf malicious packers used by widespread financial\ncrimeware. This particular implementation, however, is unique (there are just a handful\nof samples in the public domain) and seems to be used only with SombRAT payloads –\nwhich makes us believe it is a custom-built tool that is private to the attackers.\nInformation\nMITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool CostaBricks\nChanged Name Country Observed\nAPT groups\n CostaRicto [Unknown] 2017\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d97f5f2-fffb-4fac-9248-9c8f531d8cc7\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d97f5f2-fffb-4fac-9248-9c8f531d8cc7\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d97f5f2-fffb-4fac-9248-9c8f531d8cc7\r\nPage 2 of 2\n\nAPT groups CostaRicto [Unknown] 2017\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d97f5f2-fffb-4fac-9248-9c8f531d8cc7" ], "report_names": [ "listgroups.cgi?u=3d97f5f2-fffb-4fac-9248-9c8f531d8cc7" ], "threat_actors": [ { "id": "c72c09b8-81ba-4e6e-9094-cd84ee4bda79", "created_at": "2022-10-25T15:50:23.667393Z", "updated_at": "2026-04-10T02:00:05.344613Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [ "CostaRicto" ], "source_name": "MITRE:CostaRicto", "tools": [ "PowerSploit", "SombRAT", "PsExec", "PS1", "CostaBricks" ], "source_id": "MITRE", "reports": null }, { "id": "b77f9b40-dca7-449d-819e-115cd2295b41", "created_at": "2022-10-25T16:07:23.502671Z", "updated_at": "2026-04-10T02:00:04.63173Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "ETDA:CostaRicto", "tools": [ "CostaBricks", "PowerSploit", "PsExec", "SombRAT", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "115cf618-02a8-42b8-8d25-305292eafedb", "created_at": "2023-11-21T02:00:07.396534Z", "updated_at": "2026-04-10T02:00:03.478259Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "MISPGALAXY:CostaRicto", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775446659, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00b291be1c84e620e4d6bdce43fb10eb6196956c.pdf", "text": "https://archive.orkl.eu/00b291be1c84e620e4d6bdce43fb10eb6196956c.txt", "img": "https://archive.orkl.eu/00b291be1c84e620e4d6bdce43fb10eb6196956c.jpg" } }