Threat Group Cards: A Threat Actor Encyclopedia Archived: 2026-04-05 17:35:10 UTC APT group: CostaRicto Names CostaRicto (BlackBerry) Country [Unknown] Motivation Financial gain First seen 2017 Description (BlackBerry) During the past six months, the BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe. The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities. Mercenary groups offering APT-style attacks are becoming more and more popular. Their tactics, techniques, and procedures (TTPs) often resemble highly sophisticated state-sponsored campaigns, but the profiles and geography of their victims are far too diverse to be aligned with a single bad actor’s interests. Although in theory the customers of a mercenary APT might include anyone who can afford it, the more sophisticated actors will naturally choose to work with patrons of the highest profile – be it large organizations, influential individuals, or even governments. Having a lot at stake, the cybercriminals must choose very carefully when selecting their commissions to avoid the risk of being exposed. Observed Countries: Australia, Austria, Bahamas, Bangladesh, China, Czech, France, India, Mozambique, Netherlands, Portugal, Singapore, USA. Tools used CostaBricks, nmap, PowerSploit, PsExec, SombRAT. Information AlienVault OTX Last change to this card: 07 January 2021 Download this actor card in PDF or JSON format https://apt.etda.or.th/cgi-bin/showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911 Page 1 of 2 Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=18339642-2d15-4dae-abfe-27abe661b911 Page 2 of 2