More than a decade ago, Kaspersky researchers uncovered a highly advanced cyber-espionage campaign. At first, they thought it was a known state-sponsored threat. But the deeper they looked, the clearer it became: this wasn’t just any group. It was something far more sophisticated. And now, multiple insiders say it was Spain behind the operation.
The hackers called their spyware Careto—Spanish slang for “mask” or “ugly face”—a name found buried in the malware’s code. It was capable of hijacking microphones, logging keystrokes, stealing documents, and spying on encrypted traffic. The group mainly used spearphishing emails to target victims across 31 countries.
Although Kaspersky publicly avoided blaming any nation, insiders confirmed the researchers privately concluded Careto was operated by the Spanish government. According to multiple former employees, that conclusion wasn’t just speculation—it was made with “high confidence.”
Cuba Was Ground Zero for the Operation
The investigation began when a Cuban government official’s computer was infected. From there, Kaspersky traced the malware’s origin to a Spanish-speaking group. Cuba quickly emerged as a primary target, especially one specific government agency. Researchers believe Spain had strong motivations at the time—chief among them, monitoring members of the Basque separatist group ETA who were living in Cuba.
Other targets supported this theory. The malware was found in Gibraltar, a British-held territory that Spain has long disputed. Spanish interests also extended to Brazil, where the government had been bidding on a high-speed railway project. All signs pointed to Spain’s geopolitical goals shaping the hacking campaign.
Despite its scope, Kaspersky never named Spain publicly. Internally, though, employees agreed there was “no reasonable doubt” about who was responsible. Still, the company stuck to its “no attribution” policy.
Subtle hints did slip into Kaspersky’s reports. A string in the code—”Caguen1aMar”—is a uniquely Spanish expletive. An illustration that accompanied the research showed a bull mask, castanets, and the red-and-yellow colors of the Spanish flag.
Careto Resurfaces With Upgraded Tools
After its exposure in 2014, Careto disappeared. Its operators quickly dismantled their infrastructure, wiping logs and erasing traces—an elite move rarely seen. But in 2024, Careto returned. Kaspersky discovered new infections in Latin America and Central Africa. The group had evolved, but left behind just enough clues to be recognized.
This time, the malware could silently turn on microphones, avoid alert icons, capture session cookies, and steal browsing histories. It also planted multiple implants that acted as keyloggers and backdoors. Researchers said the attackers were careful, but they repeated certain techniques and filenames used a decade ago. That allowed Kaspersky to link the activity to Careto with “medium to high confidence.”
Though the group is small, its tactics are powerful. Kaspersky’s Georgy Kucherin called its attacks a “masterpiece,” stating that Careto’s sophistication rivals even the most notorious groups from North Korea or China.
While no official from Spain or Cuba has commented, this new evidence places Careto among a small group of Western state-backed hacking units. The revelation adds Spain to a list that includes the U.S.’s NSA-linked Equation Group, the CIA-associated Lamberts, and France’s Animal Farm.
