More than a decade ago, cybersecurity researchers at Kaspersky observed suspicious internet traffic characteristic of government-backed espionage groups. Initially suspecting a familiar threat actor, the team quickly realized that they had stumbled upon a far more sophisticated operation unlike anything previously encountered. Their investigation uncovered a complex hacking group called Careto—named after a Spanish slang term meaning “mask” or “ugly face”—found embedded in the malware’s programming code.
First disclosed publicly by Kaspersky in 2014, Careto quickly made headlines for its extremely advanced and stealthy tools capable of extracting highly sensitive data—including keystrokes, encrypted correspondence, and private communications—from compromised victims. At the time, however, Kaspersky refrained from publicly pointing to any nation-state as the source behind the group. Internally, it now turns out, the company’s researchers had privately concluded with high confidence that the Spanish government was operating Careto’s espionage campaigns.
According to multiple former Kaspersky employees involved in the original investigation, who spoke on condition of anonymity, substantial evidence pointed toward Spanish state-backed hackers as the driving force behind Careto’s global campaign. “There was no doubt,” confirmed one former researcher, emphasizing the clear indicators leading to their internal conclusion.
Careto garnered attention not just for its highly technical sophistication but also for the scope and particular targeting patterns of its operations. The group initially attracted notice after infecting a governmental network in Cuba, leading researchers to label this victim “patient zero.” Cuba reportedly became a key focus due to Spain’s interest in monitoring members of the Basque separatist organization ETA who had taken refuge on the Caribbean island. Kaspersky’s findings clearly noted that Cuba had experienced the largest number of targeted victims, primarily concentrated within a single governmental institution, indicating high-level strategic importance to attackers.
Other targets were similarly consistent with Spanish national interests, including institutions and entities in Brazil, Morocco, Spain itself, and particularly Gibraltar—the disputed British enclave on the Iberian Peninsula long claimed by Spain. These geopolitical indicators served as compelling evidence supporting the internal attribution to Spanish intelligence services.
Careto’s malware was formidable, with functionality rivaling even today’s most potent nation-state spyware. It could secretly intercept communication streams, collect VPN configurations, diplomatic emails, private documents, and even activate microphones on targeted devices without alerting users. The hackers conducted their attacks primarily through highly customized spearphishing emails, impersonating popular Spanish media outlets and embedding malicious links designed to quietly compromise the victim’s machine while maintaining operational secrecy and plausible deniability.
The team’s attribution to the Spanish government was further supported by linguistic clues in the malware coding. One notable phrase uncovered was a distinctly Spanish expletive common only within Spain rather than Latin America. Additionally, a symbolic illustration shared during Kaspersky’s original disclosure prominently featured characteristically Spanish imagery and national symbols, subtly reinforcing the team’s private conclusions.
Yet despite these various indicators, Kaspersky retained a strict internal policy against publicly accusing states, opting instead for neutrality in its official reports. “We had a strict ‘no attribution’ policy,” one veteran researcher recalled, noting the company’s caution in navigating sensitive geopolitical implications.
When Kaspersky exposed Careto’s activities in 2014, the hackers swiftly reacted, dismantling and eliminating evidence from their infrastructure—a rare and difficult feat reserved only for top-tier state-sponsored actors, further indicating Careto’s governmental affiliation and advanced preparedness.
Careto then vanished from the cybersecurity radar, remaining dormant until recently resurfacing last year. Kaspersky announced in 2024 that the group had resumed operations, conducting targeted attacks in Latin America and Central Africa. Analysts confirmed with medium to high confidence that recent malware discoveries, attributed specifically to Careto, displayed striking similarities in methodologies and coding to earlier known samples, suggesting continuity over the past decade.
Despite the renewed visibility, definitive public attribution remained elusive. Georgy Kucherin, one of the researchers involved in the latest detection, acknowledged Careto’s exceptional craftsmanship and operational sophistication but emphasized that technical analysis alone made it impossible to conclusively link the malware directly to a governmental entity.
Nonetheless, the privately held conviction of numerous involved experts has remained firm through the years—a certainty shared quietly within the highest ranks at Kaspersky yet left officially unstated out of longstanding institutional policy. With these revelations, Spain emerges publicly for the first time as one of the few known Western governments running high-level cyber espionage groups, joining ranks previously held by higher-profile intelligence agencies such as the NSA-linked Equation Group or the French-run Animal Farm malware campaigns.
Today, as Careto resurfaces after more than a decade, its advanced tradecraft still stands out among contemporary hacking operations. While other government-backed groups frequently capture global headlines, those familiar with Careto regard it as quietly matching or even surpassing their sophistication. As Kucherin frankly described it, “their attacks are a masterpiece.”
