{"id":670996,"date":"2025-05-23T13:26:58","date_gmt":"2025-05-23T10:26:58","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say\/"},"modified":"2025-05-23T13:26:58","modified_gmt":"2025-05-23T10:26:58","slug":"mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say\/","title":{"rendered":"Mysterious hacking group Careto was run by the Spanish government, sources say"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a23e76c2d56b\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a23e76c2d56b\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say\/#The_discovery_of_Careto\" >The discovery of Careto<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say\/#Careto_gets_caught_again\" >Careto gets caught again<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say\/#Contact_Us\" >Contact Us<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<div>\n<p id=\"speakable-summary\" class=\"has-drop-cap wp-block-paragraph\">More than a decade ago, researchers at antivirus company Kaspersky identified suspicious internet traffic of what they thought was a known government-backed group, based on similar targeting and its phishing techniques. Soon, the researchers realized they had found a much more advanced hacking operation that was targeting the Cuban government, among others.<\/p>\n<p class=\"wp-block-paragraph\">Eventually the researchers were able to attribute the network activity to a mysterious \u2014 and at the time completely unknown \u2014 Spanish-speaking hacking group that they called Careto, after the Spanish slang word (\u201cugly face\u201d or \u201cmask\u201d in English), which they found buried within the malware\u2019s code.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Careto was never publicly linked to a specific government. But TechCrunch has now learned that the researchers who first discovered the group were convinced that Spanish government hackers were behind Careto\u2019s espionage operations.<\/p>\n<p class=\"wp-block-paragraph\">When Kaspersky <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/mashable.com\/archive\/kaspersky-lab-the-mask-careto\">first revealed the existence of Careto<\/a> in 2014, its researchers called the group \u201cone of the most advanced threats at the moment,\u201d with its stealthy malware capable of stealing highly sensitive data, including private conversations and keystrokes from the computers it compromised, much akin to powerful government spyware today. Careto\u2019s malware was used to hack into government institutions and private companies around the world.<\/p>\n<p class=\"wp-block-paragraph\">Kaspersky avoided publicly blaming who it thought was behind Careto. But internally, according to several people who worked at Kaspersky at the time and had knowledge of the investigation, its researchers concluded that Careto was a hacking team working for the Spanish government.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cThere was no doubt of that, at least no reasonable [doubt],\u201d one of the former employees told TechCrunch, who like other sources in this story agreed to speak on condition of anonymity to discuss sensitive matters.<\/p>\n<p class=\"wp-block-paragraph\">Careto is one of only a handful of Western government hacking groups that has ever been discussed in public, along with U.S. government units such as Equation Group, widely believed to be the U.S. National Security Agency; the <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/therecord.media\/security-firm-kaspersky-believes-it-found-new-cia-malware\">Lamberts<\/a>, believed to be the CIA; and the French government group known as <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/securelist.com\/animals-in-the-apt-farm\/69114\/\">Animal Farm<\/a>, which was behind the <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"http:\/\/vice.com\/en\/article\/meet-babar-a-new-malware-almost-certainly-created-by-france\/\">Babar<\/a> and <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.vice.com\/en\/article\/dino-french-malware-targeting-iran-searches-for-specific-data-and-steals-it\/\">Dino<\/a> malware. In a rare admission, Bernard Barbier, former head of the French intelligence service DGSE <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/medium.com\/@msuiche\/nsa-hacked-france-in-2012-414d8de4bdcf#.t9e09wox7:~:text=Barbier%20also%20confirms,the%20developer.%20%23OPSECFAIL\">publicly confirmed<\/a> the French government was indeed behind Babar.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The Spanish government now joins this small group of Western government hacking groups.<\/p>\n<figure class=\"wp-block-image alignwide size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"201\" src=\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/careto_malware_code.png\" alt=\"A screenshot of Careto\u2019s malware code, which inspired the name of the hacking group.\" class=\"wp-image-3011013\" srcset=\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/careto_malware_code.png 600w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/careto_malware_code.png?resize=150,50 150w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/careto_malware_code.png?resize=300,101 300w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/careto_malware_code.png?resize=430,144 430w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\"\/><figcaption class=\"wp-element-caption\"><span class=\"wp-element-caption__text\">A screenshot of Careto\u2019s malware code, which inspired the name of the hacking group. (Image: Kaspersky)<\/span><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Early in its investigation, Kaspersky discovered that the Careto hackers had targeted a particular government network and systems in Cuba, according to a second former Kaspersky employee.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">It was this Cuban government victim that sparked Kaspersky\u2019s investigation into Careto, according to the people speaking with TechCrunch.<\/p>\n<p class=\"wp-block-paragraph\">\u201cIt all started with a guy who worked for the Cuban government who got infected,\u201d the third former Kaspersky employee, with knowledge of the Careto investigation, told TechCrunch. The person, who referred to the Cuban government victim as \u201cpatient zero,\u201d said that it <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>eared the Careto hackers were interested in Cuba because during that time there were members of the Basque terrorist organization ETA in the country.<\/p>\n<p class=\"wp-block-paragraph\">Kaspersky researchers noted in a <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2018\/03\/20133638\/unveilingthemask_v1.0.pdf\">technical report published after their discovery<\/a> that Cuba had by far the most number of victims per country at the time of the investigation into Careto\u2019s activities, specifically one unnamed Cuban government institution, which the report said showed \u201cthe current interest of the attackers.\u201d\u00a0<\/p>\n<p class=\"wp-block-paragraph\">This Cuban government victim would prove key to link Careto to Spain, according to the former Kaspersky employees.<\/p>\n<p class=\"wp-block-paragraph\">\u201cInternally we knew who did it,\u201d the third former Kaspersky employee said, adding that they had \u201chigh confidence\u201d it was the Spanish government. Two other former Kaspersky employees, who also had knowledge of the investigation, said the researchers likewise concluded Spain was behind the attacks.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The company, however, decided not to disclose it. \u201cIt wasn\u2019t broadcast because I think they didn\u2019t want to out a government like that,\u201d a fourth former Kaspersky researcher said. \u201cWe had a strict \u2018no attribution\u2019 policy at Kaspersky. Sometimes that policy was stretched but never broken.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Apart from Cuba, other Careto targets also pointed to Spain. The espionage operation affected hundreds of victims in Brazil, Morocco, Spain itself and \u2014 perhaps tellingly \u2014 Gibraltar, the disputed British enclave on the Iberian peninsula that Spain <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.exteriores.gob.es\/en\/PoliticaExterior\/Paginas\/Gibraltar.aspx\">has long claimed as its own territory<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">Kaspersky declined to answer questions about its researchers\u2019 conclusions.<\/p>\n<p class=\"wp-block-paragraph\">\u201cWe don\u2019t engage in any formal attribution,\u201d Kaspersky spokesperson Mai Al Akkad told TechCrunch in an email.<\/p>\n<p class=\"wp-block-paragraph\">The Spanish Ministry of Defense declined to comment. The Cuban government did not respond to emails sent to its Ministry of Foreign Affairs.<\/p>\n<h2 class=\"wp-block-heading has-text-align-left\" id=\"h-the-discovery-of-careto\"><span class=\"ez-toc-section\" id=\"The_discovery_of_Careto\"><\/span><strong>The discovery of Careto<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p class=\"wp-block-paragraph\">After Kaspersky <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"http:\/\/securelist.com\/the-caretomask-apt-frequently-asked-questions\/58254\/\">discovered<\/a> the group\u2019s malware in 2014 and, as a result, learned how to identify other computers compromised by it, the researchers found evidence of Careto infections all over the world, compromising victims in 31 countries spanning several continents.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In Africa, the group\u2019s malware was found in Algeria, Morocco, and Libya; in Europe, it targeted victims in France, Spain, and the United Kingdom. In Latin America, there were victims in Brazil, Colombia, Cuba, and Venezuela.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In its technical report, Kaspersky said that Cuba had the most victims that were being targeted, with \u201call belonging to the same institution,\u201d which the researchers perceived as of significance to the hackers at that point in time.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Spain had its own particular interest in Cuba in the preceding years. As an exiled Cuban government official <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/web.archive.org\/web\/20180803014333\/https:\/\/elpais.com\/politica\/2012\/05\/18\/actualidad\/1337373025_977227.html#:~:text=%E2%80%94%20De%20los%2022%20acogidos%2C%20quedar%C3%A1n%20unos%2015.%20En%20total%2C%20si%20incluimos%20a%20los%20correos%20de%20ETA%20y%20dem%C3%A1s%20habr%C3%A1n%20pasado%20por%20la%20isla%20una%20treintena.\">told the Spanish daily El Pais<\/a> at the end of 2013, there were around 15 members of the terror group ETA who lived in Cuba with the approval of the local government. In 2014, <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.bbc.com\/mundo\/ultimas_noticias\/2014\/04\/140430_ultnot_cuba_eeuu_patrocinio_terrorismo_mxa\">a leaked U.S. diplomatic cable<\/a> noted that Cuba had given refuge to ETA terrorists for years. Earlier in 2010, a Spanish judge <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"http:\/\/bbc.com\/mundo\/america_latina\/2010\/03\/100315_2156_eta_farc_detencion_velasco_venezuela_cuba_irm\">ordered the arrest<\/a> of ETA members living in Cuba.<\/p>\n<p class=\"wp-block-paragraph\">When covering the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a> of the discovery of Careto, the Spanish online news outlet El Diario noted that targeting countries such as Brazil and Gibraltar <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.eldiario.es\/tecnologia\/careto-pegasus-codigo-espanol-espio-marruecos-30-paises_1_8964693.html\">would favor<\/a> the Spanish government\u2019s \u201cgeostrategic interests.\u201d The Spanish government <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"http:\/\/web.archive.org\/web\/20190420162451\/https:\/\/elpais.com\/economia\/2013\/05\/20\/agencias\/1369079962_701273.html\">had been <\/a><a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.transportes.gob.es\/recursos_mfom\/130529npconsorciobrasil.pdf\">pushing<\/a> for a consortium of government-owned and private companies to win a bid to build a high-speed railway in Brazil from Rio de Janeiro to S\u00e3o Paulo.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Aside from targeting government institutions, embassies, and diplomatic organizations, Kaspersky said the Careto group also targeted energy companies, research institutions, and activists.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Kaspersky researchers wrote that they were able to find evidence that the Careto malware existed as far back as 2007, and found subsequent versions of Careto capable of exploiting Windows PCs, Macs, and Linux computers. The researchers said they found possible evidence of code capable of targeting Android devices and iPhones.<\/p>\n<p class=\"wp-block-paragraph\">While Kaspersky didn\u2019t make its internal attribution public, its researchers left clear hints that pointed to Spain.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">First, the company researchers noted that they found a string in the malware code that was particularly interesting: \u201cCaguen1aMar.\u201d That string is a contraction for the popular Spanish expletive, \u201cme cago en la mar,\u201d which <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"http:\/\/en.wiktionary.org\/wiki\/me_cago_en_el_mar\">literally means<\/a> \u201cI sh\u2013t in the sea,\u201d but roughly translates to \u201cf\u2014k,\u201d a phrase typically used in Spain, and not in other Spanish-speaking countries.\u00a0\u00a0<\/p>\n<p class=\"wp-block-paragraph\">When Kaspersky announced its discovery of Careto in 2014, the company published a map showing all the countries that the hacking group had targeted. Along with the map, Kaspersky <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2014\/02\/08114739\/208216082.jpg\">included<\/a> an illustration of a mask with bull\u2019s horns and a nose ring (the bull is a national symbol of Spain), <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/en.wikipedia.org\/wiki\/Castanets\">castanets<\/a> or clackers (an instrument used in Spanish folk music), and the red and yellow colors of the Spanish flag.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">A detail in the map revealed how important Cuba was for Careto. For certain countries, Kaspersky added icons specifying what type of targets it was able to identify. The map showed Cuba had a single hacked victim, marked as a government institution. Only Gibraltar, Morocco \u2014 whose proximity and <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.investmentmonitor.ai\/features\/why-do-ceuta-and-melilla-matter-to-spain-and-morocco\/\">territorial<\/a> <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/fpif.org\/whats-behind-spains-about-face-on-western-sahara\/\">disputes<\/a> make it a strategic espionage target for Spain \u2014 and Switzerland were the other territories with a government victim.<\/p>\n<figure class=\"wp-block-image alignwide size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1109\" height=\"644\" src=\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?w=680\" alt=\"A map of careto's victims along with an illustration of a mask.\" class=\"wp-image-3011016\" srcset=\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png 1109w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=150,87 150w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=300,174 300w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=768,446 768w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=680,395 680w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=430,250 430w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=720,418 720w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=900,523 900w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=800,465 800w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=668,388 668w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=646,375 646w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=1063,617 1063w, https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/kaspersky-careto-the-mask-illustration.png?resize=708,411 708w\" sizes=\"auto, (max-width: 1109px) 100vw, 1109px\"\/><figcaption class=\"wp-element-caption\"><span class=\"wp-element-caption__text\">a map of careto\u2019s victims along with An illustration of a mask (Image: Kaspersky)<\/span><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Kaspersky said in 2014 that the Careto group\u2019s malware was one of the \u201cmost advanced threats\u201d of the time for its ability to grab highly sensitive data from a victim\u2019s computer. Kaspersky said the malware could also intercept internet traffic, Skype conversations, encryption (PGP) keys, and VPN configurations, take screenshots, and \u201cfetch all information from Nokia devices.\u201d<\/p>\n<p class=\"wp-block-paragraph\">The Careto group relied in large part on spearphishing emails that contained malicious links impersonating Spanish newspapers like El Pa\u00eds, El Mundo, and P\u00fablico, and videos about political subjects and food recipes. One of the former Kaspersky employees told TechCrunch that the phishing links also included references to ETA and Basque news, which Kaspersky\u2019s report omitted.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">When clicking on these malicious links, the victim would get infected using an exploit that hacked the user\u2019s specific device, then redirected to a legitimate web page so as to not raise suspicions, according to Kaspersky\u2019s report.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The Careto operators also took advantage of a since-patched vulnerability in older versions of Kaspersky\u2019s antivirus software, which the company said in its 2014 published report was how it first discovered the malware.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The ubiquity of Kaspersky\u2019s software in Cuba effectively made it possible for Careto to target almost anyone on the island with an internet connection. (By 2018, the Russian antivirus company controlled some 90% of the island\u2019s internet security market, <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/CubaStandard\/status\/1058872346960936962\">according to Cuba Standard<\/a>, an independent news website.) The antivirus is so popular across the country that the company\u2019s name <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/lorenzofb\/status\/1650220822013915138\">has become part of the local slang<\/a>.<strong>\u00a0<\/strong><\/p>\n<p class=\"wp-block-paragraph\">But soon after Kaspersky published its research, the Careto hackers shut down all of its operations discovered by the Russian firm, going as far as wiping its logs, which researchers noted was \u201cnot very common\u201d and put Careto into the \u201celite\u201d section of government hacking groups.<\/p>\n<p class=\"wp-block-paragraph\">\u201cYou can\u2019t do that if you\u2019re not prepared,\u201d one of the former Kaspersky employees told TechCrunch. \u201cThey systematically, and in a quick manner, destroyed the whole thing, the whole infrastructure. Boom. It was just gone.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Careto_gets_caught_again\"><\/span><strong>Careto gets caught again<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p class=\"wp-block-paragraph\">After Careto went dark, neither Kaspersky nor any other cybersecurity company publicly reported detecting Careto again \u2014 until last year.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Kaspersky <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/careto-apt-resurfaced-after-10-years-with-new-malicious-frameworks\">announced<\/a> in May 2024 that it had found Careto\u2019s malware once again, saying it saw the group target an unnamed organization in Latin America that was \u201cpreviously compromised\u201d by the hacking group most recently in 2022, again in 2019, and on another occasion more than 10 years ago.<\/p>\n<p class=\"wp-block-paragraph\">Careto also hacked a second unnamed organization, located in Central Africa, said Kaspersky.<\/p>\n<p class=\"wp-block-paragraph\">In a <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"http:\/\/securelist.com\/careto-is-back\/114942\/\">blog post<\/a> later in December 2024, Kaspersky\u2019s researchers attributed the new hacks to Careto \u201cwith medium to high confidence,\u201d based in part on filenames that were \u201calarmingly similar\u201d to filenames found in Careto\u2019s activities from a decade ago, as well as overlapping tactics, techniques, and procedures, or TTPs, a cybersecurity expression that refers to the unique behaviors of a certain hacking group.<\/p>\n<p class=\"wp-block-paragraph\">Kaspersky researchers Georgy Kucherin and Marc Rivero L\u00f3pez, who <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2024\/papers\/The-Mask-has-been-unmasked-again.pdf\">wrote a paper<\/a> and <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.youtube.com\/watch?v=d3DSPtOZEck\">presented their research<\/a> at the Virus Bulletin security conference in October 2024, said Careto \u201chas always conducted cyber attacks with extreme caution,\u201d but still \u201cmanaged to make small but fatal mistakes during their recent operations\u201d that matched activity from Careto a decade earlier.<\/p>\n<p class=\"wp-block-paragraph\">Despite that, Kucherin told TechCrunch that they don\u2019t know who, or which government, is behind the Careto hacking group.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cIt\u2019s likely a nation state,\u201d said Kucherin. \u201cBut what entity it was, who developed the malware? From a technical perspective, it\u2019s impossible to tell.\u201d<\/p>\n<div class=\"article-block block--callout block--right has-green-500-background-color\">\n<h4 class=\"block--callout__title\"><span class=\"ez-toc-section\" id=\"Contact_Us\"><\/span>Contact Us<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\t\t\tDo you have more information about Careto (aka The Mask), or other government hacking groups and operations? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.\t\t<\/p><\/div>\n<p class=\"wp-block-paragraph\">According to Kaspersky\u2019s most recent report, this time the Careto hackers broke into the unnamed Latin American victim\u2019s email server and then planted its malware.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In one of the hacked machines the researchers analyzed, Kaspersky found that Careto\u2019s malware could surreptitiously switch on the computer\u2019s microphone (while hiding the Windows icon that normally alerts the user that the mic is on), steal files, such as personal documents, session cookies that can allow access to accounts without needing a password, web browsing histories from several browsers, and more.<\/p>\n<p class=\"wp-block-paragraph\">In the case of another victim, according to the report, Careto hackers used a set of implants that work as a backdoor, a keylogger, and a screenshot-taker.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Despite the fact that they got caught, and compared to what Kaspersky found more than a decade ago, Kucherin said that the Careto hackers are \u201cstill that good.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Compared to the larger and more well-known government-backed hacking groups, like the North Korean Lazarus Group and China\u2019s APT41, Kucherin said Careto is a \u201cvery small [advanced persistent threat] that surpasses all those large ones in complexity.\u201d<\/p>\n<p class=\"wp-block-paragraph\">\u201cTheir attacks are a masterpiece,\u201d said Kucherin.<\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techcrunch.com\/2025\/05\/23\/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say\/\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>More than a decade ago, researchers at antivirus company Kaspersky identified suspicious internet traffic of what they thought was a known government-backed group, based on similar targeting and its phishing techniques. Soon, the researchers realized they had found a much more advanced hacking operation that was targeting the Cuban government, among others. Eventually the researchers&#8230;<\/p>\n","protected":false},"author":1,"featured_media":670997,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/spain-flag-glitch.jpg?resize=1200,633","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[156576,4967,70375,61594,70944,70513,152032,152033,72287,14026,64283],"class_list":["post-670996","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-careto","tag-cuba","tag-cybersecurity","tag-exclusive","tag-hackers","tag-hacking","tag-infosec","tag-kaspersky","tag-security","tag-spain","tag-the-mask"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/670996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=670996"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/670996\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/670997"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=670996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=670996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=670996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}