{
	"id": "bda4c4a4-373e-4415-98aa-e4f80d68484b",
	"created_at": "2026-04-06T00:18:19.114415Z",
	"updated_at": "2026-04-10T03:37:00.15713Z",
	"deleted_at": null,
	"sha1_hash": "9ed39ab4dfaf44a8c65512135a5238e535ceb0c4",
	"title": "costricto mercenary Outsourced Cyber Spying hackers espionage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 561205,
	"plain_text": "costricto mercenary Outsourced Cyber Spying hackers espionage\r\nArchived: 2026-04-05 13:52:49 UTC\r\nMercenary hacking groups offering Advanced Package Tools (APT) attacks are becoming more popular and\r\ntheir tactics, techniques and procedures can resemble highly sophisticated state-sponsored campaigns. \r\nBlackberry Research have documented the activity of a hackers-for-hire group, named as CostaRicto\r\nwhich has been monitored using new form of malware to target South Asian financial institutions and global\r\nentertainment companies.  The profiles and geography of their victims are very varied and so it is unlikely that\r\nthis is just one hacking band and its likely that there are several different groups for hire.\r\nAlthough in theory the customers of a mercenary APT might include anyone who can afford it, the more\r\nsophisticated actors will naturally choose to work with patrons of the highest profile, be it large organizations,\r\nhttps://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nPage 1 of 7\n\ninfluential individuals, or even governments.\r\nCyber criminals must choose very carefully when selecting their commissions to avoid the risk of being exposed. \r\nOutsourcing an espionage campaign, or part of it, to a mercenary group might be very compelling, especially to\r\nbusinesses and individuals who seek intelligence on their competition yet may not have the required tooling,\r\ninfrastructure and experience to conduct an attack themselves. But even notorious adversaries experienced in\r\ncyber-espionage can benefit from adding a layer of indirection to their attacks. By using a mercenary as their\r\nproxy, the real attacker can better protect their identity and thwart attempts at attribution.\r\nTargeting\r\nUnlike most of the state-sponsored APT actors, the CostaRicto adversary seems to be indiscriminate when it\r\ncomes to the victims' geography. Their targets are located in numerous countries across the globe with just a slight\r\nconcentration in the South-Asian region. The list of other countries where victims were observed include China,\r\nthe US, Bahamas, Australia, Mozambique, France, the Netherlands, Austria, Portugal and the Czech Republic.\r\nBlackberry analysts noticed that one of the IP addresses employed in the attacks of the group has been linked\r\nto an earlier phishing campaign initially attributed to the Russia-linked APT28 group. This circumstance\r\nsuggests that the Costaricto APT carried out attacks on behalf of other threat actors.\r\nThe victims’ profiles are diverse across several verticals, with a large portion being financial institutions. Like\r\nmany of the other hacker-for-hire operations, this one appears to have been operational for at least many months,\r\naccording to BlackBerry. While the earliest time stamps for the custom backdoor date to October of last year, the\r\ntime stamps on the payload stagers, which date to 2017, could suggest a longer-running operation.\r\nBlackberry:      Security Affairs:     CSOOnline:      CyberScoop:     Israel Defense: \r\nYou Might Also Read:\r\nCreating Post-Modern Intelligence:\r\nDirectory of Suppliers\r\nNordLayer\r\nNordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted\r\ncybersecurity brand, Nord Security. \r\nhttps://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nPage 2 of 7\n\nResecurity\r\nResecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management,\r\nand cyber threat intelligence.\r\nJooble\r\nJooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by\r\ndisplaying active job ads from major job boards and career sites across the internet.\r\nAuthentic8\r\nAuthentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud\r\nbrowser.\r\nArxan Technologies\r\nhttps://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nPage 3 of 7\n\nArxan is a leader of application attack-prevention and self-protection products for Internet of Things (IoT),\r\nMobile, Desktop, and other applications.\r\nRiskLens\r\nRiskLens is a software company that specializes in the quantification of cybersecurity risk.\r\nForensic Pathways\r\nForensic Pathways focus on the provision of digital forensic technologies, offering clients unique technologies in\r\nthe management of mobile phone data, image analysis and ballistics analysis.\r\nGilbert + Tobin\r\nGilbert + Tobin is an Australian corporate law firm serving clients throughout Australia, and around the world, on\r\na broad range of legal issues including cyber security.\r\nStellar Cyber\r\nStellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of\r\napplications and data wherever they reside.\r\nhttps://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nPage 4 of 7\n\nKindus\r\nKindus is an IT security, assurance and cyber security risk management consultancy.\r\nRussell Reynolds Associates\r\nRussell Reynolds Associates is a global leadership advisory and search firm with functional expertise in Digital\r\nLeadership, Data \u0026 Analytics, and Compliance.\r\nGuernsey\r\nGuernsey provides a wide range of engineering, architecture and consulting services to multiple markets,\r\nincluding cybersecurity consulting and CMMC certification.\r\nTech Seven Partners\r\nhttps://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nPage 5 of 7\n\nAt TechSeven Partners, we provide a full suite of cyber security solutions for your business including network\r\nmonitoring, onsite and cloud backup solutions, HIPAA or PCI compliance.\r\nZENDATA\r\nZENDATA are an innovative provider of intelligent, tailored cybersecurity solutions to global companies and\r\npublic sector institutions.\r\nMODUS X\r\nMODUS X is a Ukrainian IT product and service company created from the IT department of the DTEK Group of\r\nCompanies.\r\nAcuvity\r\nAcuvity is the most comprehensive AI security and governance platform for your employees and applications.\r\nSecure your GenAI adoption with confidence.\r\nKoop\r\nKoop’s trust management platform helps navigate the complexities of regulatory compliance, security reviews,\r\nand liability insurance in a single place.\r\nhttps://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nPage 6 of 7\n\nMaximus\r\nMaximus is a trusted service delivery partner and architect of government technology solutions, we empower\r\ncommunities by ensuring seamless and equitable access to government services.\r\nSource: https://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nhttps://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html"
	],
	"report_names": [
		"outsourced-cyber-spying-5335.html"
	],
	"threat_actors": [
		{
			"id": "c72c09b8-81ba-4e6e-9094-cd84ee4bda79",
			"created_at": "2022-10-25T15:50:23.667393Z",
			"updated_at": "2026-04-10T02:00:05.344613Z",
			"deleted_at": null,
			"main_name": "CostaRicto",
			"aliases": [
				"CostaRicto"
			],
			"source_name": "MITRE:CostaRicto",
			"tools": [
				"PowerSploit",
				"SombRAT",
				"PsExec",
				"PS1",
				"CostaBricks"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b77f9b40-dca7-449d-819e-115cd2295b41",
			"created_at": "2022-10-25T16:07:23.502671Z",
			"updated_at": "2026-04-10T02:00:04.63173Z",
			"deleted_at": null,
			"main_name": "CostaRicto",
			"aliases": [],
			"source_name": "ETDA:CostaRicto",
			"tools": [
				"CostaBricks",
				"PowerSploit",
				"PsExec",
				"SombRAT",
				"nmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "115cf618-02a8-42b8-8d25-305292eafedb",
			"created_at": "2023-11-21T02:00:07.396534Z",
			"updated_at": "2026-04-10T02:00:03.478259Z",
			"deleted_at": null,
			"main_name": "CostaRicto",
			"aliases": [],
			"source_name": "MISPGALAXY:CostaRicto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434699,
	"ts_updated_at": 1775792220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ed39ab4dfaf44a8c65512135a5238e535ceb0c4.pdf",
		"text": "https://archive.orkl.eu/9ed39ab4dfaf44a8c65512135a5238e535ceb0c4.txt",
		"img": "https://archive.orkl.eu/9ed39ab4dfaf44a8c65512135a5238e535ceb0c4.jpg"
	}
}