{
	"id": "1ced00ee-40aa-439b-8b80-5dcae66ab8c5",
	"created_at": "2026-04-06T00:07:01.647964Z",
	"updated_at": "2026-04-10T03:35:28.907434Z",
	"deleted_at": null,
	"sha1_hash": "67b305172060c12ff5f4be23e2cabe289a8998b5",
	"title": "Careto, The Mask - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61890,
	"plain_text": "Careto, The Mask - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 20:38:06 UTC\nHome \u003e List all groups \u003e Careto, The Mask\n APT group: Careto, The Mask\nNames\nCareto (Kaspersky)\nThe Mask (Kaspersky)\nMask (Kaspersky)\nUgly Face (Kaspersky)\nCountry Spain\nSponsor State-sponsored\nMotivation Information theft and espionage\nFirst seen 2007\nDescription\n(Kaspersky) The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name “Mask” comes from the Spanish\nslang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some\nof the malware modules.\nMore than 380 unique victims in 31 countries have been observed to date. What\nmakes “The Mask” special is the complexity of the toolset used by the attackers.\nThis includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit\nWindows versions, Mac OS X and Linux versions and possibly versions for Android\nand iPad/iPhone (Apple iOS).\nObserved\nSectors: Education, Energy, Government and Diplomatic missions.\nCountries: Brazil, France, Germany, Iran, Libya, Morocco, Poland, South Africa,\nSpain, Switzerland, Tunisia, UK, USA, Venezuela.\nTools used Careto.\nOperations performed 2022\nCareto is back: what’s new after 10 years of silence?\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d291611-962c-42b8-88e8-3db17f464f9b\nPage 1 of 2\n\nCounter operations Feb 2014\nAt the moment, all known Careto C\u0026C servers are offline. The\nattackers began taking them offline in January 2014. We were also\nable to sinkhole several C\u0026C servers, which allowed us to gather\nstatistics on the operation.\nInformation\nLast change to this card: 27 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d291611-962c-42b8-88e8-3db17f464f9b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d291611-962c-42b8-88e8-3db17f464f9b\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d291611-962c-42b8-88e8-3db17f464f9b"
	],
	"report_names": [
		"showcard.cgi?u=3d291611-962c-42b8-88e8-3db17f464f9b"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434021,
	"ts_updated_at": 1775792128,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67b305172060c12ff5f4be23e2cabe289a8998b5.pdf",
		"text": "https://archive.orkl.eu/67b305172060c12ff5f4be23e2cabe289a8998b5.txt",
		"img": "https://archive.orkl.eu/67b305172060c12ff5f4be23e2cabe289a8998b5.jpg"
	}
}