The rising scene of hack-for-fire companies has recently become more prominent. According to BlackBerry's security team, a new hacker-for-hire group has mobilized attacks across different countries all over the globe.

The CostaRicto campaign

Dubbed CostaRicto, it is the fifth hacker-for-hire mercenary group discovered in 2020. 
  • The victims of the attack appear to be in South Asia (especially India, Bangladesh, and Singapore), Europe, Africa, America, and Australia.
  • The campaign prominently targets financial institutions, while some targets were observed across other verticals as well. 
  • The group has been seen using custom-built and never-before-seen malware with simple yet effective techniques.

Modus operandi

The malware allows attackers to access infected hosts, search for sensitive files, and exfiltrate confidential documents.
  • The initial entry vectors include stolen credentials from the dark web or spear-phishing emails to deploy a backdoor trojan named Sombra or SombRAT.
  • With better-than-average operation security tactics, the group has been hosting its C2 infrastructure on the dark web. 
  • To evade detection, the group has been using complex VPN proxy and SSH tunneling capabilities.

Hacker-for-hire - a prominent trend

Several hacker-for-hire groups have already marked their success in various campaigns this year. In mid-2020, researchers had disclosed details about the BellTrox (aka Dark Basin), DeathStalker (aka Deceptikons), Bahamut, and unnamed hacker-for-hire groups.
  • Last month, BlackBerry researchers disclosed that the Bahamut group had been using phishing, malicious apps, and zero-day attacks against its victims.
  • In August, Bitdefender had found an unnamed hacker-for-hire group targeting an international architectural and video production company.
  • In its Q1 2020 TAG Bulletin, Google had highlighted the increasing number of hacker-for-hire mercenary groups by disclosing seven coordinated political influence campaigns.


The discovery of the CostaRicto campaign has retroactively confirmed the maturing hacker-for-hire scene. More and more cybercriminals are renting their services to multiple customers with different agendas, and therefore, security analysts and agencies need to prepare their cyber defenses accordingly.

Cyware Publisher