The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal - The Hacker News

The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal Ravie LakshmananDec 17, 2024Cyber Espionage / Mobile Security A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets are usually high-profile organizations, such as governments, diplomatic entities, and research institutions." Also known as Careto, the threat actor was previously documented by the Russian cybersecurity company over a decade ago in February 2014 as having targeted over 380 unique victims since 2007. The origins of the hacking group are currently unknown. Initial access to target networks is facilitated by means of spear-phishing emails embedding links to malicious websites that are designed to trigger browser-based zero-day exploits to infect the visitor (e.g., CVE-2012-0773), following which they are redirected to benign sites like YouTube or a news portal. There is also some evidence suggesting that the threat actors have developed a comprehensive malware arsenal that's capable of targeting Windows, macOS, Android, and iOS. Kaspersky said it identified The Mask targeting a Latin American organization in 2022, using an as-yet-undetermined method to obtain a foothold and maintain persistence by making use of an MDaemon webmail component called WorldClient. "The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server," the researchers said. The threat actor is said to have compiled their own extension and configured it by adding malicious entries in the WorldClient.ini file by specifying the path to the extension DLL. The rogue extension is designed to run commands that enable reconnaissance, file system interactions, and the execution of additional payloads. In the 2022 attack, the adversary used this method to spread to other computers inside the organization's network and launch an implant dubbed FakeHMP ("hmpalert.dll"). This is accomplished by means of a legitimate driver of the HitmanPro Alert software ("hmpalert.sys") by taking advantage of the fact that it fails to verify the legitimacy of the DLLs it loads, thus making it possible to inject the malware into privileged processes during system startup. The backdoor supports a wide range of features to access files, log keystrokes, and deploy further malware onto the compromised host. Some of the other tools delivered to the compromised systems included a microphone recorder and a file stealer. The cybersecurity company's investigation further found that the same organization was subjected to a prior attack in 2019 that involved the use of two malware frameworks codenamed Careto2 and Goreto. Careto2 is an updated version of the modular framework observed between 2007 and 2013 that leverages several plugins to take screenshots, monitor file modifications in specified folders, and exfiltrate data to an attacker-controlled Microsoft OneDrive storage. Goreto, on the other hand, is a Golang-based toolset that periodically connects to a Google Drive storage to retrieve commands and execute them on the machine. This includes uploading and downloading files, fetching and running payloads from Google Drive, and executing a specified shell command. Furthermore, Goreto incorporates features to capture keystrokes and screenshots. That's not all. The threat actors have also been detected using the "hmpalert.sys" driver to infect an unidentified individual or organization's machine in early 2024. "Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware," Kaspersky said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, Kaspersky, MacOS, Malware, mobile security, Windows Trending News ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026