🇪🇸
Careto
APT Group
Information theft and espionage
15 zero-day CVEs
ETDA ✓
Also Known As 3 names
Mask
The Mask
Ugly Face
Target Countries 15
Countries highlighted in red
Brazil
Canada
Switzerland
Germany
Spain
France
Islamic Republic of Iran
Libya
Morocco
Poland
Singapore
Tunisia
United States
Bolivarian Republic of Venezuela
South Africa
Sectors Targeted
Software Publishers
51121
Education
All Other Information Services
51919
Telecommunications
517
Diplomatic missions
Government
Energy
Computer Systems Design Services
541512
Details
Origin
🇪🇸 ES
Last Updated
10 Nov 2025
MITRE ATT&CK 163
T1001 - Data Obfuscation
T1003
T1005
T1007 - System Service Discovery
T1008
T1011 - Exfiltration Over Other Network Medium
T1012
T1014 - Rootkit
T1016 - System Network Configuration Discovery
T1016.001 - Internet Connection Discovery
T1018 - Remote System Discovery
T1019 - System Firmware
T1021 - Remote Services
T1021.001 - Remote Desktop Protocol
T1021.006 - Windows Remote Management
T1027 - Obfuscated Files or Information
T1030 - Data Transfer Size Limits
T1033 - System Owner/User Discovery
T1036 - Masquerading
T1040
T1041 - Exfiltration Over C2 Channel
T1047 - Windows Management Instrumentation
T1048
T1049 - System Network Connections Discovery
T1053 - Scheduled Task/Job
T1055 - Process Injection
T1055.001 - Dynamic-link Library Injection
T1056 - Input Capture
T1056.001 - Keylogging
T1057 - Process Discovery
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003
T1059.004 - Unix Shell
T1059.007 - JavaScript
T1060 - Registry Run Keys / Startup Folder
T1068 - Exploitation for Privilege Escalation
T1069 - Permission Groups Discovery
T1069.002 - Domain Groups
T1070 - Indicator Removal on Host
T1071 - Application Layer Protocol
T1071.001 - Web Protocols
T1071.004 - DNS
T1074.001
T1078
T1078.004 - Cloud Accounts
T1081
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1085
T1087
T1088 - Bypass User Account Control
T1090 - Proxy
T1094 - Custom Command and Control Protocol
T1095
T1102 - Web Service
T1104
T1105 - Ingress Tool Transfer
T1106 - Native API
T1110 - Brute Force
T1112 - Modify Registry
T1113 - Screen Capture
T1114
T1114.001
T1114.002 - Remote Email Collection
T1115 - Clipboard Data
T1116 - Code Signing
T1118 - InstallUtil
T1119 - Automated Collection
T1120
T1124 - System Time Discovery
T1127 - Trusted Developer Utilities Proxy Execution
T1129
T1130
T1132 - Data Encoding
T1133
T1134 - Access Token Manipulation
T1136
T1137 - Office Application Startup
T1140 - Deobfuscate/Decode Files or Information
T1170
T1176 - Browser Extensions
T1189 - Drive-by Compromise
T1190
T1192 - Spearphishing Link
T1198 - SIP and Trust Provider Hijacking
T1202 - Indirect Command Execution
T1204 - User Execution
T1204.001 - Malicious Link
T1204.002
T1210 - Exploitation of Remote Services
T1213 - Data from Information Repositories
T1217
T1218 - Signed Binary Proxy Execution
T1218.001 - Compiled HTML File
T1222 - File and Directory Permissions Modification
T1404 - Exploit OS Vulnerability
T1443 - Remotely Install Application
T1449 - Exploit SS7 to Redirect Phone Calls/SMS
T1454 - Malicious SMS Message
T1456 - Drive-by Compromise
T1476 - Deliver Malicious App via Other Means
T1478 - Install Insecure or Malicious Configuration
T1480 - Execution Guardrails
T1485
T1486 - Data Encrypted for Impact
T1489
T1490 - Inhibit System Recovery
T1491 - Defacement
T1497 - Virtualization/Sandbox Evasion
T1497.003
T1498 - Network Denial of Service
T1499 - Endpoint Denial of Service
T1503
T1505 - Server Software Component
T1516 - Input Injection
T1518
T1528 - Steal Application Access Token
T1529 - System Shutdown/Reboot
T1530 - Data from Cloud Storage Object
T1531
T1539 - Steal Web Session Cookie
T1543
T1546 - Event Triggered Execution
T1547 - Boot or Logon Autostart Execution
T1550
T1552
T1553 - Subvert Trust Controls
T1553.002 - Code Signing
T1553.004 - Install Root Certificate
T1555
T1560 - Archive Collected Data
T1561
T1562 - Impair Defenses
T1562.001 - Disable or Modify Tools
T1563.002 - RDP Hijacking
T1564 - Hide Artifacts
T1566 - Phishing
T1566.001 - Spearphishing Attachment
T1568 - Dynamic Resolution
T1568.002 - Domain Generation Algorithms
T1569 - System Services
T1571
T1573 - Encrypted Channel
T1574 - Hijack Execution Flow
T1583 - Acquire Infrastructure
T1583.001 - Domains
T1583.004 - Server
T1584 - Compromise Infrastructure
T1584.003 - Virtual Private Server
T1584.005 - Botnet
T1587
T1587.001 - Malware
T1589 - Gather Victim Identity Information
T1590 - Gather Victim Network Information
T1591 - Gather Victim Org Information
T1595
T1596.001 - DNS/Passive DNS
T1596.004 - CDNs
T1598 - Phishing for Information
T1614
TA0003 - Persistence
TA0011 - Command and Control