Hacker Group Returns with New Attack Tactics After 1

It’s been a whole decade, ten long years, since we last heard a peep from the Careto threat group. You might remember them as “The Mask.” Well, they’re officially back on the scene. And it looks like they’ve resurfaced with some really sophisticated new attack methods, all aimed squarely at high-profile organizations.

Security researchers have identified fresh evidence of Careto’s activity, revealing how the group evolved its tactics to compromise critical infrastructure and maintain persistent access to sensitive networks.

The Careto group has been conducting advanced cyberattacks since at least 2007, traditionally focusing on government agencies, diplomatic entities, and research institutions. Careto aka The Mask resurfaces after a decade, launching advanced attacks on high-profile targets and critical infrastructure.

Known for deploying zero-day exploits to deliver complex implants, Careto remained silent after early 2014, leaving security experts uncertain about the group’s future activities.

However, detailed investigations into recent targeted attack clusters have confirmed that the group is actively conducting operations once more, demonstrating an alarming return to prominence.

Securelist analysts and researchers identified the group’s recent campaigns, with notable evidence of attacks targeting an organization in Latin America during 2022.

What makes this resurgence particularly concerning is the group’s refined approach to gaining and maintaining control within compromised networks.

MDaemon Email Server Exploitation and WorldClient Persistence

The group’s new infection method reveals a shift toward email infrastructure targeting. Upon breaching a victim’s network, attackers gained access to the MDaemon email server, a critical communication hub.

Rather than deploying obvious malware, Careto used a clever persistence technique leveraging MDaemon’s WorldClient webmail component, which allows loading custom extensions.

The attackers compiled a malicious extension and modified the WorldClient.ini configuration file, adding entries that redirected HTTP requests to their custom code.

Specifically, they configured the CgiBase6 parameter to point toward “/WorldClient/mailbox” and set CgiFile6 to their malicious DLL, allowing them to interact with the extension through normal webmail traffic.

This technique proved remarkably effective because it blended with legitimate email operations.

From this foothold, Careto deployed the previously unknown FakeHMP implant across the network using a sophisticated lateral movement strategy.

The group leveraged legitimate system drivers, particularly the HitmanPro Alert driver (hmpalert.sys), to inject malicious code into privileged Windows processes like winlogon.exe and dwm.exe.

The FakeHMP implant provided the attackers with comprehensive surveillance capabilities, including keystroke logging, screenshot capture, file retrieval, and additional payload deployment.

This resurgence demonstrates that Careto remains a formidable threat, combining decades of operational experience with innovative infection methods that exploit legitimate software components for maximum stealth and persistence.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.