Careto

Careto, also known as The Mask, is a highly sophisticated cyber-espionage threat actor active since at least 2007. The content describes it as a likely state-sponsored or nation-state actor, including references to it being a Spanish-speaking nation-state group and Kaspersky’s assessment that it could be state-sponsored based on its sophistication and operational behavior. Historically, Careto has targeted high-profile organizations including governments, diplomatic entities, embassies, research institutions, energy and oil and gas companies, private equity firms, and activists. The group is associated with advanced and modular malware for Windows and Mac OS X, as well as rootkit and bootkit capabilities; command-and-control artifacts also suggested possible Linux, Android, and iOS implants. Initial infections were delivered through spear-phishing emails linking to malicious websites, including use of Adobe Flash Player exploit CVE-2012-0773, as well as social-engineering lures involving Java and Chrome plugin installation. The malware collected sensitive files and credentials, including encryption keys, VPN configurations, SSH keys, RDP files, certificates, and other document and email-related data. The content also notes adversary tools associated with Careto searching compromised systems for cryptographic keys and certificate files. Kaspersky’s original public reporting stated that Careto infrastructure was taken offline in January 2014, but later research linked intrusions from 2019, 2022, and early 2024 to the actor with medium to high confidence. In a 2019 intrusion, the actor used the Careto2 and Goreto frameworks. Careto2 used a plugin-based architecture, virtual file system storage, scheduled-task execution, and COM hijacking for persistence; identified plugins included ConfigMgr.dll, FileFilter.dll, Storage.dll, Kodak.dll, and Comm.dll, with Comm.dll uploading exfiltrated data to attacker-controlled OneDrive storage. Goreto, a Golang toolset, periodically connected to Google Drive to retrieve commands and supported file download/upload, command execution, keylogging, and screenshot capture. In a 2022 intrusion against a Latin American organization, the actor compromised an MDaemon email server and abused the WorldClient extension mechanism for persistence by modifying WorldClient.ini and configuring malicious CgiBase6/CgiFile6 entries. The malicious extension supported reconnaissance, file-system interaction, and execution of additional payloads. For lateral movement and persistence, the attackers used scheduled tasks and abused the legitimate HitmanPro Alert driver hmpalert.sys to load a malicious hmpalert.dll into privileged processes such as winlogon.exe and dwm.exe. Kaspersky named the resulting implant FakeHMP, which could retrieve files, log keystrokes, take screenshots, and deploy further payloads; the attackers also deployed a microphone recorder and file stealer. In early 2024, the same hmpalert.sys abuse was observed again against another victim, this time using a Google Updater-based technique instead of scheduled tasks. Attribution in the recent cases was based on overlaps with historical The Mask activity, including victimology, file names, plugin naming conventions, persistence methods, virtual file systems, cloud storage usage, process propagation techniques, and repeated use of the installer file ~dfae01202c5f0dba42.cmd.