After a decade of disappearing from the cybersecurity landscape, the Careto threat group, also known as “The Mask,” has resurfaced with sophisticated new attack methods targeting high-profile organizations.
Security researchers have identified fresh evidence of Careto’s activity, revealing how the group evolved its tactics to compromise critical infrastructure and maintain persistent access to sensitive networks.
The Careto group has been conducting advanced cyberattacks since at least 2007, traditionally focusing on government agencies, diplomatic entities, and research institutions. Careto aka The Mask resurfaces after a decade, launching advanced attacks on high-profile targets and critical infrastructure.
Known for deploying zero-day exploits to deliver complex implants, Careto remained silent after early 2014, leaving security experts uncertain about the group’s future activities.
However, detailed investigations into recent targeted attack clusters have confirmed that the group is actively conducting operations once more, demonstrating an alarming return to prominence.
Securelist analysts and researchers identified the group’s recent campaigns, with notable evidence of attacks targeting an organization in Latin America during 2022.
What makes this resurgence particularly concerning is the group’s refined approach to gaining and maintaining control within compromised networks.
MDaemon Email Server Exploitation and WorldClient Persistence
The group’s new infection method reveals a shift toward email infrastructure targeting. Upon breaching a victim’s network, attackers gained access to the MDaemon email server, a critical communication hub.
.webp "Careto Hacker Group is Back After 10 Years of Silence with New Attack Tactics 3")
Rather than deploying obvious malware, Careto used a clever persistence technique leveraging MDaemon’s WorldClient webmail component, which allows loading custom extensions.
The attackers compiled a malicious extension and modified the WorldClient.ini configuration file, adding entries that redirected HTTP requests to their custom code.
Specifically, they configured the CgiBase6 parameter to point toward “/WorldClient/mailbox” and set CgiFile6 to their malicious DLL, allowing them to interact with the extension through normal webmail traffic.
This technique proved remarkably effective because it blended with legitimate email operations.
From this foothold, Careto deployed the previously unknown FakeHMP implant across the network using a sophisticated lateral movement strategy.
The group leveraged legitimate system drivers, particularly the HitmanPro Alert driver (hmpalert.sys), to inject malicious code into privileged Windows processes like winlogon.exe and dwm.exe.
The FakeHMP implant provided the attackers with comprehensive surveillance capabilities, including keystroke logging, screenshot capture, file retrieval, and additional payload deployment.
This resurgence demonstrates that Careto remains a formidable threat, combining decades of operational experience with innovative infection methods that exploit legitimate software components for maximum stealth and persistence.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
