{
	"id": "1c84c627-1b93-49aa-b3ed-3c88d7c05fef",
	"created_at": "2026-04-06T00:18:16.611039Z",
	"updated_at": "2026-04-10T13:12:04.18481Z",
	"deleted_at": null,
	"sha1_hash": "5723f67c49c7c6e8c38d9f1f21cd20c66729d45b",
	"title": "The Careto/Mask APT: Frequently Asked Questions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 300492,
	"plain_text": "The Careto/Mask APT: Frequently Asked Questions\r\nBy GReAT\r\nPublished: 2014-02-10 · Archived: 2026-04-05 13:14:17 UTC\r\nWhat exactly is Careto / “The Mask”?\r\nThe Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007.\r\nWhat makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely\r\nsophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for\r\nAndroid and iPad/iPhone (iOS).\r\nhttps://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nPage 1 of 7\n\nThe Mask also uses a customized attack against older Kaspersky Lab products in order to hide in the system. This\r\nputs it above Duqu in terms of sophistication, making The Mask one of the most advanced threats at the current\r\ntime. This and several other factors make us believe this could be a state-sponsored operation.\r\nWhy do you call it The Mask?\r\nThe name “Mask” comes from the Spanish slang word “Careto” (“Mask” or “Ugly Face”) that the authors\r\nincluded in some of the malware modules.\r\nWho are the victims? / What can you say about the targets of the attacks?\r\nThe main targets of Careto fall into the following categories:\r\nGovernment institutions\r\nDiplomatic offices and embassies\r\nEnergy, oil and gas companies\r\nResearch institutions\r\nPrivate equity firms\r\nActivists\r\nDo we know the total number of victims?\r\nAlthough the exact number of victims is unknown, we observed victims at more than 1000 IP addresses in 31\r\ncountries. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa\r\nRica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco,\r\nNorway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and\r\nVenezuela.\r\nBased on an identification algorithm we developed, we counted over 380 unique victims between over 1000+ IPs.\r\nhttps://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nPage 2 of 7\n\nHowever, considering that victim information has been collected only for some command-and-control servers and\r\nsinkholed hosts, the total number of affected countries and unique victims can be much higher.\r\nWhat does Careto do? What happens after a target machine is infected?\r\nFor the victims, an infection with Careto is disastrous. The malware intercepts all the communication channels and\r\ncollects the most vital information from the infected system. Detection is extremely difficult because of stealth\r\nrootkit capabilities. In addition to built-in functionalities, the operators of Careto can upload additional modules\r\nwhich can perform any malicious task. Given the nature of the known victims, the impact is potentially very high.\r\nHow does Careto infect computers?\r\nThe Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website. The\r\nmalicious website contains a number of exploits designed to infect the visitor, depending on his system\r\nconfiguration. Upon successful infection, the malicious website redirects the user to the benign website referenced\r\nin the e-mail, which can be a YouTube movie or a news portal.\r\nIt’s important to note the exploit websites do not automatically infect visitors; instead, the attackers host the\r\nexploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails. Sometimes, the attackers use sub-domains on the exploit websites, to make them seem more legitimate.\r\nThese sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the\r\nGuardian and the Washington Post.\r\nAre the attackers using any zero-day vulnerabilities?\r\nhttps://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nPage 3 of 7\n\nSo far, we observed attacks using multiple vectors. These include at least one Adobe Flash Player exploit (CVE-2012-0773). The exploit was designed for Flash Player versions prior to 10.3 and 11.2.\r\nThe CVE-2012-0773 was originally discovered by VUPEN and has an interesting story. This was the first exploit\r\nto break the Chrome sandbox and was used to win the CanSecWest Pwn2Own contest in 2012. The exploit caused\r\na bit of a controversy because the VUPEN team refused to reveal how they escaped the sandbox, claiming they\r\nwere planning to sell the exploit to their customers. It is possible that the Careto threat actor purchased this exploit\r\nfrom VUPEN.(See story by Ryan Naraine)\r\nOther vectors used include social engineering, asking the user to download and execute a JavaUpdate.jar file or to\r\ninstall a Chrome browser plugin. We suspect other exploits exist as well, but we haven-t been able to retrieve them\r\nfrom the attack server.\r\nIs this a Windows-only threat? Which versions of Windows are targeted? Are there\r\nMac OS X or Linux variants?\r\nSo far, we observed Trojans for Microsoft Windows and Mac OS X. Some of the exploit server paths contain\r\nmodules that appear to have been designed to infect Linux computers, but we have not yet located the Linux\r\nbackdoor. Additionally, some of the C\u0026C artifacts (logs) indicate that backdoors for Android and Apple iOS may\r\nalso exist.\r\nHave you seen any evidence of a mobile component – iOS, Android or BlackBerry?\r\nWe suspect an iOS backdoor exists but we haven’t been able to locate it yet. The suspicion is based on a debug log\r\nfrom one of the C\u0026C servers where a victim in Argentina is identified and logged as having a user agent of\r\n“Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko)\r\nMobile/10B329”. This appears to indicate it is an iPad, although without a sample, it’s hard to be sure.\r\nIn addition to this, we also suspect the existence of an Android implant. This is based on a unique version\r\nidentifier sent to the C\u0026C which is “AND1.0.0.0”. Communications with this unique identifier have been\r\nobserved over 3G links, indicating a possible mobile device.\r\nHow is this different from any other APT attack?\r\nWhat makes The Mask special is the complexity of the toolset used by the attackers. This includes extremely\r\nsophisticated malware, a rootkit, a bootkit, Mac and Linux versions and possibly versions for Android and\r\niPad/iPhone (Apple iOS).\r\nAlso, The Mask uses a customized attack against older Kaspersky products in order to hide in the system. This\r\nputs it above Duqu in terms of sophistication, making The Mask one of the most advanced APTs at the current\r\ntime. This and several other factors make us believe this could be a state-sponsored operation.\r\nHow did you become aware of this threat? Who reported it?\r\nhttps://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nPage 4 of 7\n\nWe initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make\r\nthe malware “invisible” in the system.\r\nOf course, this raised our interest and our research team decided to investigate further. In other words, the\r\nattackers attracted our attention by attempting to exploit Kaspersky Lab products.\r\nAlthough the vulnerability in the products was discovered and fixed five years ago, there is still a possibility that\r\nthere are users out there who haven’t updated the product. In such cases the exploit can still be active, although it\r\nwill not prevent us from removing the malware and cleaning the system.\r\nAre there multiple variants of Careto? Are there any major differences in the\r\nvariants?\r\nCareto is a highly modular system; it supports plugins and configuration files which allow it to perform a large\r\nnumber of functions.\r\nVariants of Careto have different compilation timestamps going back to 2007. Most modules were created in 2012.\r\nIs the command-and-control server used by Careto still active? Have you been able\r\nto sinkhole any of the C\u0026Cs?\r\nAt the moment, all known Careto C\u0026C servers are offline. The attackers began taking them offline in January\r\n2014. We were also able to sinkhole several C\u0026C servers, which allowed us to gather statistics on the operation.\r\nWhat exactly is being stolen from the target machines?\r\nThe malware collects a large list of documents from the infected system, including encryption keys, VPN\r\nconfigurations, SSH keys and RDP files. There are also several unknown extensions being monitored that we have\r\nnot been able to identify and could be related to custom military/government-level encryption tools.\r\nhttps://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nPage 5 of 7\n\nHere’s the full list of collected files from the configurations we analyzed:\r\n*.AKF,*.ASC,*.AXX,*.CFD,*.CFE,*.CRT,*.DOC,*.DOCX,*.EML,*.ENC,*.GMG,*.GPG,*.HSE,*.KEY,\r\n*.M15,*.M2F,*.M2O,*.M2R,*.MLS,*.OCFS,*.OCU,*.ODS,*.ODT,*.OVPN,*.P7C,*.P7M,*.P7Z,*.PAB,*.PDF,\r\n*.PGP,*.PKR,*.PPK,*.PSW,*.PXL,*.RDP,*.RTF,*.SDC,*.SDW,*.SKR,*.SSH,*.SXC,*.SXW,*.VSD,\r\n*.WAB,*.WPD,*.WPS,*.WRD,*.XLS,*.XLSX\r\nThe Mask uses a customized attack against older Kaspersky Lab products in order to hide in the system. In\r\naddition, it includes a rootkit, a bootkit, Linux/Mac versions and possibly a version for Apple iOS. This puts it\r\nabove Duqu in terms of sophistication, making The Mask one of the most advanced APTs at the current time.\r\nAlso, we observed a very high degree of professionalism in the operational procedures of the group behind this\r\nattack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through\r\naccess rules, using wiping instead of deletion for log files, etc. This level of operational security is not normal for\r\ncybercriminal groups.\r\nhis and several other factors make us believe this could be a state-sponsored campaign.\r\nWho is responsible?\r\nAttribution is a difficult task. On the internet, it is extremely difficult to make a solid attribution due to the volatile\r\nnature of the way it was built.\r\nSome clues such as the use of the Spanish language are weak, as it is spoken in many countries, including Latin\r\nAmerica, Mexico or the United States (for instance in Miami, where a strong Spanish-speaking community\r\nexists).\r\nWe should also keep in mind the possibility of false flag attacks before making any solid assumption on the\r\nidentity of who is responsible without very solid proof.\r\nHow long have the attackers been active?\r\nSome Careto samples were compiled as far back as 2007. The campaign was active until January 2014, but during\r\nour investigations the C\u0026C servers were shut down.\r\nThat’s at least five years. We cannot rule out the possibility of the attackers resurrecting the campaign at some\r\npoint in the future.\r\nDid the attackers use any interesting/advanced technologies?\r\nThe Windows backdoor is extremely sophisticated, and the attackers used a number of techniques in order to try to\r\nmake the attack stealthier. These include injection into system libraries and attempting to exploit older Kaspersky\r\nLab products to avoid detection.\r\nAdditionally, the exploits cover all potential target systems, including Mac OS X and Linux. Also, the\r\ncommunication between different exploit shellcode modules is done through cookies, which is quite an unusual\r\nhttps://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nPage 6 of 7\n\ntechnique.\r\nDoes Kaspersky Lab detect all variants of this malware?\r\nYes. Our products detect and remove all known versions of the malware used by the attackers. Detection names:\r\nTrojan.Win32/Win64.Careto.*\r\nTrojan.OSX.Careto\r\nAre there Indicators of Compromise (IOCs) to help victims identify the intrusion?\r\nYes, IOC information has been included in our detailed technical research paper.\r\nYou can read our full report here.\r\n[Click to download]\r\nSource: https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nhttps://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/"
	],
	"report_names": [
		"58254"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434696,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5723f67c49c7c6e8c38d9f1f21cd20c66729d45b.pdf",
		"text": "https://archive.orkl.eu/5723f67c49c7c6e8c38d9f1f21cd20c66729d45b.txt",
		"img": "https://archive.orkl.eu/5723f67c49c7c6e8c38d9f1f21cd20c66729d45b.jpg"
	}
}