The Mask Slips Again: Careto APT’s Shadowy Comeback Shakes Cybersecurity

In the world of cyber espionage, some ghosts never rest. After nearly ten years of silence, the infamous Careto - also known as The Mask - has reemerged from the digital shadows. This time, the group is wielding new and ingenious tools, targeting high-profile organizations with a blend of old-school cunning and modern technical wizardry. Their latest campaigns, revealed by Kaspersky researchers, show a threat actor that’s not only survived the test of time but evolved to remain one step ahead.

Inside Careto’s Comeback: Old Faces, New Tricks

The Mask’s latest chapter began with a puzzling breach in a Latin American organization in 2022. Investigators found that Careto had compromised the company’s MDaemon email server, exploiting a rarely targeted webmail component known as WorldClient. By manipulating obscure configuration entries - specifically “CgiBase6” and “CgiFile6” - the attackers seamlessly injected their own malicious extension, granting themselves persistent, stealthy access via simple web requests. This foothold allowed them to perform reconnaissance, execute commands, and deploy their payloads without raising alarms.

But Careto’s technical prowess didn’t stop there. In the same campaign, the group introduced a sophisticated implant dubbed “FakeHMP.” By abusing the legitimate HitmanPro Alert driver (hmpalert.sys), which loads DLLs into system processes without verifying authenticity, the hackers injected their malware directly into core Windows processes like winlogon.exe. This implant proved capable of recording keystrokes, capturing screenshots, stealing files, and deploying further payloads - essentially giving the attackers full control while remaining hidden.

The group’s adaptability was further displayed in a 2024 incident: instead of relying on traditional scheduled tasks, Careto used Google Updater to infect systems, illustrating a keen understanding of trusted infrastructure. Researchers drew connections between these new attacks and Careto’s earlier operations, noting similarities in filenames, plugin structures, and persistence mechanisms. The frameworks in play - Careto2 and Goreto - offered modular plugin management and data exfiltration via popular cloud services, reinforcing the group’s reputation for creativity and technical depth.

Enduring Threat, Evolving Tactics

Careto’s return isn’t just a nostalgic footnote - it’s a stark warning. The group’s ability to exploit legitimate software, abuse trusted systems, and blend new tactics with proven techniques underscores the persistent threat posed by advanced actors. For cybersecurity professionals and organizations worldwide, the message is clear: vigilance and adaptability are essential, because some adversaries never truly disappear - they simply wait for the perfect moment to strike again.

WIKICROOK

• APT (Advanced Persistent Threat): An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
• DLL (Dynamic Link Library): A DLL is a Windows file containing shared code used by programs. Malicious DLLs can be exploited by hackers to gain control over a system.
• Persistence Mechanism: A persistence mechanism is a method used by malware to stay active on a system, surviving reboots and removal attempts by users or security tools.
• Keylogging: Keylogging is a spying method where every keystroke you type is secretly recorded and sent to cybercriminals, risking your sensitive information.
• Exfiltration: Exfiltration is the unauthorized transfer of sensitive data from a victim’s network to an external system controlled by attackers.