MalwareUsed by 1 actor

FakeHMP

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Careto

The payload contained in the malicious hmpalert.dll library turned out to be a previously unknown implant that we dubbed FakeHMP. Its capabilities included retrieving files from the filesystem, logging keystrokes, taking screenshots and deploying further payloads to infected machines.

via securelistsecurelist.com

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1053.005Scheduled TaskEvidence1

To spread to other machines, attackers uploaded these four files and then created scheduled tasks with the help of the Tpm-HASCertRetr.xml description file.

Persistence

1 technique

T1053.005Scheduled TaskEvidence1

To spread to other machines, attackers uploaded these four files and then created scheduled tasks with the help of the Tpm-HASCertRetr.xml description file.

Privilege Escalation

2 techniques

T1053.005Scheduled TaskEvidence1

To spread to other machines, attackers uploaded these four files and then created scheduled tasks with the help of the Tpm-HASCertRetr.xml description file.

T1055Process InjectionEvidence1

attackers were able to place their payload DLLs at this path and thus inject them into various privileged processes, such as winlogon.exe and dwm.exe, on system startup.

Stealth

1 technique

T1055Process InjectionEvidence1

attackers were able to place their payload DLLs at this path and thus inject them into various privileged processes, such as winlogon.exe and dwm.exe, on system startup.

Credential Access

1 technique

T1056.001KeyloggingEvidence1

Its capabilities included retrieving files from the filesystem, logging keystrokes, taking screenshots and deploying further payloads... Goreto implements a keylogger

Lateral Movement

1 technique

T1570Lateral Tool TransferEvidence1

To spread to other machines, attackers uploaded these four files and then created scheduled tasks with the help of the Tpm-HASCertRetr.xml description file.

Collection

3 techniques

T1005Data from Local SystemEvidence1

Its capabilities included retrieving files from the filesystem... Apart from this implant, we also observed attackers deploying... a file stealer to compromised computers.

T1056.001KeyloggingEvidence1

Its capabilities included retrieving files from the filesystem, logging keystrokes, taking screenshots and deploying further payloads... Goreto implements a keylogger

T1113Screen CaptureEvidence1

Its capabilities included retrieving files from the filesystem, logging keystrokes, taking screenshots... Goreto implements a keylogger and a screenshot taker.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

Jan 2, 2026

Careto Hacker Group is Back After 10 Years of Silence with New Attack Tactics

FakeHMP is a previously unknown implant used by the Careto threat group, providing surveillance capabilities such as keystroke logging, screenshot capture, file retrieval, and deployment of additional payloads. It leverages legitimate system drivers for stealthy code injection and persistence.

securelistNews

May 13, 2021

Careto APT’s recent attacks discovered | Securelist

A previously unknown implant delivered via a malicious hmpalert.dll side-loaded through the legitimate HitmanPro Alert driver. It supports file retrieval, keylogging, screenshot capture, and deployment of additional payloads.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.