{ "id": "4a049798-d56e-4718-9be1-58a34d0d7dc9", "created_at": "2026-04-06T00:18:10.393281Z", "updated_at": "2026-04-10T03:35:29.032327Z", "deleted_at": null, "sha1_hash": "2696462d5a9d6ecd847fea97689ac194802f7d31", "title": "Careto is back: what’s new after 10 years of silence?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 460383, "plain_text": "Careto is back: what’s new after 10 years of silence?\r\nBy Georgy Kucherin\r\nPublished: 2024-12-12 · Archived: 2026-04-05 12:57:45 UTC\r\nDuring the first week of October, Kaspersky took part in the 34th Virus Bulletin International Conference, one of\r\nthe longest-running cybersecurity events. There, our researchers delivered multiple presentations, and one of our\r\ntalks focused on newly observed activities by the Careto threat actor, which is also known as “The Mask”. You\r\ncan watch the recording of this presentation here:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least\r\n2007. Their targets are usually high-profile organizations, such as governments, diplomatic entities and research\r\ninstitutions. To infect them, The Mask uses complex implants, often delivered through zero-day exploits. The last\r\ntime we published our findings about The Mask was in early 2014, and since then, we have been unable to\r\ndiscover any further traces of this actor.\r\nThe Mask’s new unusual attacks\r\nHowever, our newest research into two notable targeted attack clusters made it possible to identify several recent\r\ncyberattacks that have been, with medium to high confidence, conducted by The Mask. Specifically, we observed\r\none of these attacks targeting an organization in Latin America in 2022. While we do not have any traces allowing\r\nus to tell how this organization became compromised, we have established that over the course of the infection,\r\nattackers gained access to its MDaemon email server. They further leveraged this server to maintain persistence\r\ninside the compromised organization with the help of a unique method involving an MDaemon webmail\r\ncomponent called WorldClient.\r\nhttps://securelist.com/careto-is-back/114942/\r\nPage 1 of 6\n\nAuthentication panel of the WorldClient component\r\nImplanting the MDaemon server\r\nThe persistence method used by the threat actor was based on WorldClient allowing loading of extensions that\r\nhandle custom HTTP requests from clients to the email server. These extensions can be configured through the\r\nC:\\MDaemon\\WorldClient\\WorldClient.ini file, which has the format demonstrated in the screenshot below:\r\nhttps://securelist.com/careto-is-back/114942/\r\nPage 2 of 6\n\nSample of the WorldClient.ini file containing plugin entries\r\nAs can be observed from the screenshot above, the information about each extension includes a relative URL\r\ncontrolled by the extension (specified in the CgiBase parameter), as well as the path to the extension DLL (in the\r\nparameter CgiFile).\r\nTo use WorldClient’s extension feature for obtaining persistence, the threat actor compiled their own extension\r\nand configured it by adding malicious entries for the CgiBase6 and CgiFile6 parameters, underlined in red in the\r\nscreenshot. As such, the actor was able to interact with the malicious extension by making HTTP requests to the\r\nURL https://\u003cwebmail server domain name\u003e/WorldClient/mailbox.\r\nSpreading the FakeHMP implant inside the network\r\nThe malicious extension installed by attackers implemented a set of commands associated with reconnaissance,\r\nperforming file system interactions and executing additional payloads. We observed attackers using these\r\ncommands to gather information about the infected organization and then spread to other computers inside its\r\nnetwork. While investigating the infection that occurred in Latin America in 2022, we established that the\r\nattackers used the following files to conduct lateral movement:\r\nsys, a legitimate driver of the HitmanPro Alert software\r\ndll, a malicious DLL with the payload to be delivered\r\n~dfae01202c5f0dba42.cmd, a malicious .bat file\r\nTpm-HASCertRetr.xml, a malicious XML file containing a scheduled task description\r\nTo spread to other machines, attackers uploaded these four files and then created scheduled tasks with the help of\r\nthe Tpm-HASCertRetr.xml description file. When started, these scheduled tasks executed commands specified in\r\nhttps://securelist.com/careto-is-back/114942/\r\nPage 3 of 6\n\nthe ~dfae01202c5f0dba42.cmd file, which in turn installed the hmpalert.sys driver and configured it to load on\r\nstartup.\r\nOne of the functions of the hmpalert.sys driver is to load HitmanPro’s DLL, placed at\r\nC:\\Windows\\System32\\hmpalert.dll, into running processes. However, as this driver does not verify the legitimacy\r\nof the DLLs it loads, attackers were able to place their payload DLLs at this path and thus inject them into various\r\nprivileged processes, such as winlogon.exe and dwm.exe, on system startup.\r\nWhat was also notable is that we observed attackers using the hmpalert.sys driver to infect a machine of an\r\nunidentified individual or organization in early 2024. However, unlike in 2022, the adversary did not use\r\nscheduled tasks to do that. Instead, they leveraged a technique involving Google Updater, described here.\r\nThe payload contained in the malicious hmpalert.dll library turned out to be a previously unknown implant that\r\nwe dubbed FakeHMP. Its capabilities included retrieving files from the filesystem, logging keystrokes, taking\r\nscreenshots and deploying further payloads to infected machines. Apart from this implant, we also observed\r\nattackers deploying a microphone recorder and a file stealer to compromised computers.\r\nSame organization, hacked by the Mask in 2019\r\nHaving examined available information about the organization compromised in 2022, we found that it was also\r\ncompromised with an advanced attack in 2019. That earlier attack involved the use of two malicious frameworks\r\nwhich we dubbed “Careto2” and “Goreto”. As for Careto2, we observed the threat actor deploying the following\r\nthree files to install it:\r\nFramework loader (placed at %appdata%\\Media Center Programs\\cversions.2.db);\r\nFramework installer (named ~dfae01202c5f0dba42.cmd);\r\nAuxiliary registry file (placed at %temp%\\values.reg).\r\nWe further found that, just like in the 2022 infection case, attackers used a scheduled task to launch a .cmd file,\r\nwhich in turn configured the framework to persist on the compromised device. The persistence method observed\r\nwas COM hijacking via the {603d3801-bd81-11d0-a3a5-00c04fd706ec} CLSID.\r\nRegarding the framework itself, it was designed to read plugins stored in its virtual file system, located in the file\r\n%appdata%\\Media Center Programs\\C_12058.NLS. The name of each plugin in this filesystem turned out to be a\r\nfour-byte value, such as “38568efd”. We have been able to ascertain that these four-byte values were DJB2 hashes\r\nof DLL names. This made it possible to brute-force these plugin names, some of which are provided in the table\r\nbelow:\r\nPlugin DLL name\r\nhash\r\nLikely DLL\r\nname\r\nPlugin description\r\n38568efd ConfigMgr.dll Manages configuration parameters of Careto2.\r\n5ca54969 FileFilter.dll Monitors file modifications in specified folders.\r\nb6df77b6 Storage.dll Manages storage of stolen files.\r\nhttps://securelist.com/careto-is-back/114942/\r\nPage 4 of 6\n\n1c9f9885 Kodak.dll Takes screenshots.\r\n82b79b83 Comm.dll\r\nUploads exfiltrated data to an attacker-controlled OneDrive\r\nstorage.\r\nRegarding the other framework, Goreto, it is a toolset coded in Golang that periodically connects to a Google\r\nDrive storage to retrieve commands. The list of supported commands is as follows:\r\nCommand name Description\r\ndownloadandexec Downloads a file from Google Drive, decrypts it, drops it to disk and executes.\r\ndownloadfile Downloads a file from Google Drive, decrypts it and drops it to disk.\r\nuploadfile Reads a specified file from disk, encrypts it and uploads it to Google Drive.\r\nexec Executes a specified shell command.\r\nApart from the command execution engine, Goreto implements a keylogger and a screenshot taker.\r\nAttribution\r\nAs mentioned above, we attribute the previously described attacks to The Mask with medium to high confidence.\r\nOne of the first attribution clues that caught our attention was several file names used by the malware since 2019,\r\nalarmingly similar to the ones used by The Mask more than 10 years ago:\r\n2007-2013 attack file names 2019 attack file names\r\n~df01ac74d8be15ee01.tmp ~dfae01202c5f0dba42.cmd\r\nc_27803.nls c_12058.nls\r\nThe brute-forced DLL names of Careto2 plugins also turned out to resemble the names of plugins used by The\r\nMask in 2007–2013:\r\n2007-2013 attack module names 2019 attack module names\r\nFileFlt FileFilter\r\nStorage Storage\r\nConfig ConfigMgr\r\nFinally, the campaigns conducted in 2007–2013 and 2019 have multiple overlaps in terms of TTPs, for instance\r\nthe use of virtual file systems for storing plugins and leveraging of COM hijacking for persistence.\r\nhttps://securelist.com/careto-is-back/114942/\r\nPage 5 of 6\n\nRegarding the attacks observed in 2022 and 2024, we have also attributed these to The Mask, mainly for the\r\nfollowing reasons:\r\nThe organization in Latin America, infected in 2022, was the one compromised by Careto2 in 2019, and by\r\nhistorical The Mask implants in 2007-2013\r\nIn both 2019 and 2022 cases, the same unique file name was used to deploy implants to infected machines:\r\n~dfae01202c5f0dba42.cmd;\r\nThe attacks from 2019 and 2022–2024 overlap in terms of TTPs, as the malware deployed in these attacks\r\nuses cloud storages for exfiltration and propagates across system processes.\r\nConclusion\r\nTen years after we last saw Careto cyberattacks, this actor is still as powerful as before. That is because Careto is\r\ncapable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or\r\nimplant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware.\r\nWhile we cannot estimate how long it will take for the community to discover the next attacks by this actor, we\r\nare confident that their next campaign will be as sophisticated as the previous ones.\r\nIf you want more technical information about Careto, please feel free to also read the research paper on this actor,\r\npublished in Proceedings of the 34th Virus Bulletin International Conference.\r\nSource: https://securelist.com/careto-is-back/114942/\r\nhttps://securelist.com/careto-is-back/114942/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/careto-is-back/114942/" ], "report_names": [ "114942" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434690, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2696462d5a9d6ecd847fea97689ac194802f7d31.pdf", "text": "https://archive.orkl.eu/2696462d5a9d6ecd847fea97689ac194802f7d31.txt", "img": "https://archive.orkl.eu/2696462d5a9d6ecd847fea97689ac194802f7d31.jpg" } }