{ "id": "1e233097-acd1-42e4-aabb-9aaaf684a716", "created_at": "2026-04-06T00:18:47.453518Z", "updated_at": "2026-04-10T13:13:09.866841Z", "deleted_at": null, "sha1_hash": "51ac19cf8e3250f13659447861586d8e2fd232c0", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48760, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:35:10 UTC\r\n APT group: CostaRicto\r\nNames CostaRicto (BlackBerry)\r\nCountry [Unknown]\r\nMotivation Financial gain\r\nFirst seen 2017\r\nDescription\r\n(BlackBerry) During the past six months, the BlackBerry Research and Intelligence team\r\nhave been monitoring a cyber-espionage campaign that is targeting disparate victims\r\naround the globe. The campaign, dubbed CostaRicto by BlackBerry, appears to be\r\noperated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke\r\nmalware tooling and complex VPN proxy and SSH tunnelling capabilities.\r\nMercenary groups offering APT-style attacks are becoming more and more popular. Their\r\ntactics, techniques, and procedures (TTPs) often resemble highly sophisticated state-sponsored campaigns, but the profiles and geography of their victims are far too diverse to\r\nbe aligned with a single bad actor’s interests.\r\nAlthough in theory the customers of a mercenary APT might include anyone who can\r\nafford it, the more sophisticated actors will naturally choose to work with patrons of the\r\nhighest profile – be it large organizations, influential individuals, or even governments.\r\nHaving a lot at stake, the cybercriminals must choose very carefully when selecting their\r\ncommissions to avoid the risk of being exposed.\r\nObserved\r\nCountries: Australia, Austria, Bahamas, Bangladesh, China, Czech, France, India,\r\nMozambique, Netherlands, Portugal, Singapore, USA.\r\nTools used CostaBricks, nmap, PowerSploit, PsExec, SombRAT.\r\nInformation\r\n\u003chttps://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:CostaRicto\u003e\r\nLast change to this card: 07 January 2021\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911" ], "report_names": [ "showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911" ], "threat_actors": [ { "id": "c72c09b8-81ba-4e6e-9094-cd84ee4bda79", "created_at": "2022-10-25T15:50:23.667393Z", "updated_at": "2026-04-10T02:00:05.344613Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [ "CostaRicto" ], "source_name": "MITRE:CostaRicto", "tools": [ "PowerSploit", "SombRAT", "PsExec", "PS1", "CostaBricks" ], "source_id": "MITRE", "reports": null }, { "id": "b77f9b40-dca7-449d-819e-115cd2295b41", "created_at": "2022-10-25T16:07:23.502671Z", "updated_at": "2026-04-10T02:00:04.63173Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "ETDA:CostaRicto", "tools": [ "CostaBricks", "PowerSploit", "PsExec", "SombRAT", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "115cf618-02a8-42b8-8d25-305292eafedb", "created_at": "2023-11-21T02:00:07.396534Z", "updated_at": "2026-04-10T02:00:03.478259Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "MISPGALAXY:CostaRicto", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434727, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51ac19cf8e3250f13659447861586d8e2fd232c0.pdf", "text": "https://archive.orkl.eu/51ac19cf8e3250f13659447861586d8e2fd232c0.txt", "img": "https://archive.orkl.eu/51ac19cf8e3250f13659447861586d8e2fd232c0.jpg" } }