The Mask Espionage Group Resurfaces After 10-Year Hiatus

Researchers recently spotted the Spanish-speaking threat actor — with nearly 400 previous victims under its belt — in a new campaign in Latin America and Central Africa.

An advanced persistent threat (APT) group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa.
The group, called Careto or
The Mask
, began operations in 2007 and then seemingly wafted into thin air in 2013. Over that period, the Spanish-speaking threat actor claimed some 380 unique victims across 31 countries including the US, UK, France, Germany, China, and Brazil.
Researchers from Kaspersky who tracked Careto 10 years ago —and also spotted its new attacks recently — have identified
Caretos previous victims
as including government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, and private equity firms.
In a
blog post this week
, Kaspersky reported the group as having targeted at least two organizations in its sophisticated new campaign, so far — one in Central Africa and the other in Latin America. The focus of the attacks appears to have been on stealing confidential documents, cookies, form history, and login data for Chrome, Edge, Firefox, and Opera browsers, Kaspersky said. The security vendor said it had also observed the attackers targeting cookies from messenger apps such as WhatsApps, WeChat, and Threema.
We [were] able to discover the latest Careto campaigns thanks to our knowledge of the previous campaigns orchestrated by Careto, as well as indicators of compromise uncovered over the course of investigating these campaigns, says Georgy Kucherin, security researcher at Kaspersky.
These indicators date back to 10 years ago — which is quite a long time, he says. For companies that are planning their cybersecurity strategies, it is crucial not to overlook activities of advanced persistent threats (APTs) that have been unseen for a lot of time, as these APTs can come up with completely new, unique attacks at any time.
Kaspersky characterized Careto group actors as using custom techniques to break into both victim environments, to maintain persistence on them and to harvest information.
In both attacks, for instance, the attackers appear to have gained initial access via the organizations MDaemon email server — a product that many small and midsize businesses use. The attackers then planted a backdoor on the server which gave them control over the network and also took advantage of a driver associated with the HitmanPro Alert malware scanner to maintain persistence, Kaspersky said.
As part of the attack chain, Careto exploited a previously unknown vulnerability in a security product used by both victims, to distribute four multi-modular implants on machines across each victims network. Kasperskys report did not identify the security product or the vulnerability that Careto has been exploiting in its new campaign. But the company said it has included full details of Caretos latest attacks, including its tactics, techniques, and procedures, in a private APT report for customers.
Currently, we are not sharing the name of the product so as not to encourage cybercriminals to perform malicious activity, Kucherin says.
The implants — dubbed FakeHMP, Careto2, Goreto, and the MDaemon implant — enabled the attackers to execute a variety of malicious actions in the victim environments. The MDaemon implant, for instance, enabled the threat actors to conduct initial reconnaissance activity, extract system configuration information and execute commands for lateral movement, Kucherin says. The threat actors are using FakeHMP for microphone recording and keylogging purposes and also for stealing confidential documents and login data, he notes. Both Careto2 and Goreto also perform keylogging and screenshot capturing. In addition, Careto2 supports file theft as well, Kucherin says.
The newly discovered implants are intricate multimodal frameworks, with deployment tactics and techniques that are both unique and sophisticated, Kucherin wrote in Kasperskys blog post. Their presence indicates the advanced nature of Caretos operations.
The Careto group is one of several threat groups that Kaspersky highlighted in a roundup of APT activity during the first quarter of 2024. Another is Gelsemium, a threat group that has been using server-side exploits to deploy a Web shell and multiple custom tools on organizations in Palestine and, more recently, in Tajikistan and Kyrgyzstan. Others in the roundup include North Koreas Kimsuky group, which was recently spotted abusing
weak DMARC policies
in a targeted phishing campaign and
Irans OilRig group
, which is well known for its attacks on targets within Israels critical infrastructure sector.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
The Mask Espionage Group Resurfaces After 10-Year Hiatus