Kaspersky researchers have uncovered two new malicious campaigns operated by the notorious Careto Advanced Persistent Threat (APT) group, marking their first activity since 2013.

Demonstrating a remarkably high level of sophistication, the actors conducted two complex cyberespionage campaigns using a multi-modal framework. This framework enables the recording of microphone input, stealing a wide range of files and data, and gaining overall control over the infected machine. The campaigns targeted organisations in Latin America and Central Africa.

Careto, an Advanced Persistent Threat (APT) group, is known for its highly sophisticated attacks primarily targeting government organisations, diplomatic entities, energy companies, and research institutions. Activity from this APT threat actor was observed from 2007 up until 2013. Notably, there has been no news about this threat group since that time.

In their quarterly report on APT trends, Kaspersky researchers have unveiled the details behind recent malicious campaigns, which they attribute to Careto.

The initial vector of infection that attackers managed to compromise was the organisation’s email server which was running the MDaemon email software. This server was then infected with a distinct backdoor, granting the attacker control over the network.

To propagate within the internal network, the threat actor exploited a previously unidentified bug in a security solution enabling covert distribution of malicious implants across multiple machines. The attacker deployed four sophisticated, multi-modular implants designed with professional expertise for volumetric impact.

As a multi-modal framework, the malware includes functionalities such as a microphone recorder and file stealer with the aim of harvesting system configuration, login names, passwords, paths to directories on the local machine, and more.

The operators were observed to be particularly interested in the organisation’s confidential documents, cookies, form history, and login data for Edge, Chrome, Firefox, and Opera browsers – as well as cookies from Threema, WeChat, and WhatsApp.

According to Kaspersky’s visibility, the victims targeted by the newly discovered Careto implants are an organisation in Latin America, previously compromised with Careto in 2022, 2019, and more than 10 years ago, and an organisation in Central Africa.

“Over the years, the Careto APT has been developing malware that demonstrates a remarkably high level of complexity,” says Georgy Kucherin, security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “The newly-discovered implants are intricate multi-modal frameworks with deployment tactics and techniques that are both unique and sophisticated. Their presence indicates the advanced nature of Careto’s operations.

“We will continue to monitor the activities of this threat actor closely as we expect the discovered malware to be utilised in future Careto attacks,” Kucherin adds.