APT / THREAT GROUP🕵️ ESPIONAGEADVANCED

Careto

🇪🇸ES-attributed
8
aliases
Last seen:Mar 17, 2026

Intelligence Profile

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.

The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules.

More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).

Threat Analysis

Careto is a advanced-sophistication threat actor attributed to ES, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, Careto likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Origin🇪🇸 ES
Aliases8
SourceMalpedia

Also Known As

Ugly FaceAppetiteMaskwin.caretoosx.caretoCaretoThe MaskTheMask

External Intelligence

Malpedia: win.careto

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.