Careto  (Back to overview)

aka: The Mask, Mask, Ugly Face

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).

Associated Families

There are currently no families associated with this actor.

2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:careto:b6befb4, author = {Cyber Operations Tracker}, title = {{Careto}}, date = {2019}, organization = {Council on Foreign Relations}, url = {}, language = {English}, urldate = {2019-12-20} } Careto
2014-02-10Kaspersky LabsGReAT
@online{great:20140210:caretomask:1aa235f, author = {GReAT}, title = {{The Careto/Mask APT: Frequently Asked Questions}}, date = {2014-02-10}, organization = {Kaspersky Labs}, url = {}, language = {English}, urldate = {2019-12-20} } The Careto/Mask APT: Frequently Asked Questions
2014-02Kaspersky LabsKaspersky
@techreport{kaspersky:201402:unveiling:4e5e91c, author = {Kaspersky}, title = {{Unveiling “Careto” - The Masked APT}}, date = {2014-02}, institution = {Kaspersky Labs}, url = {}, language = {English}, urldate = {2019-10-12} } Unveiling “Careto” - The Masked APT

Credits: MISP Project