A New Hacker-for-Hire Mercenary Group Reported

The rising scene of hack-for-fire companies has recently become more prominent. According to BlackBerry's security team, a new hacker-for-hire group has mobilized attacks across different countries all over the globe.

The CostaRicto campaign

Dubbed CostaRicto, it is the fifth hacker-for-hire mercenary group discovered in 2020. 
  • The victims of the attack appear to be in South Asia (especially India, Bangladesh, and Singapore), Europe, Africa, America, and Australia.
  • The campaign prominently targets financial institutions, while some targets were observed across other verticals as well. 
  • The group has been seen using custom-built and never-before-seen malware with simple yet effective techniques.

Modus operandi

The malware allows attackers to access infected hosts, search for sensitive files, and exfiltrate confidential documents.
  • The initial entry vectors include stolen credentials from the dark web or spear-phishing emails to deploy a backdoor trojan named Sombra or SombRAT.
  • With better-than-average operation security tactics, the group has been hosting its C2 infrastructure on the dark web. 
  • To evade detection, the group has been using complex VPN proxy and SSH tunneling capabilities.

Hacker-for-hire - a prominent trend

Several hacker-for-hire groups have already marked their success in various campaigns this year. In mid-2020, researchers had disclosed details about the BellTrox (aka Dark Basin), DeathStalker (aka Deceptikons), Bahamut, and unnamed hacker-for-hire groups.
  • Last month, BlackBerry researchers disclosed that the Bahamut group had been using phishing, malicious apps, and zero-day attacks against its victims.
  • In August, Bitdefender had found an unnamed hacker-for-hire group targeting an international architectural and video production company.
  • In its Q1 2020 TAG Bulletin, Google had highlighted the increasing number of hacker-for-hire mercenary groups by disclosing seven coordinated political influence campaigns.


The discovery of the CostaRicto campaign has retroactively confirmed the maturing hacker-for-hire scene. More and more cybercriminals are renting their services to multiple customers with different agendas, and therefore, security analysts and agencies need to prepare their cyber defenses accordingly.