{ "id": "fd21f6af-b7da-4774-a440-a3518db00162", "created_at": "2026-04-06T00:22:17.187697Z", "updated_at": "2026-04-10T03:24:56.388313Z", "deleted_at": null, "sha1_hash": "154f7cd9c28a042bdbf562ddde83e5875f5ff144", "title": "Machete (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 29909, "plain_text": "Machete (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 16:17:22 UTC\r\nMachete\r\naka: El Machete\r\nAccording to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped:\r\nGoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it\r\ncontains base64‑encoded text that corresponds to AES‑encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and\r\ncreates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the\r\nMozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other\r\nsources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and\r\nlongitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C\u0026C server. The\r\nconfiguration to set the connection is read from the jer.dll file: domain name, username and password. The\r\nprincipal means of communication for Machete is via FTP, although HTTP communication was implemented as a\r\nfallback in 2019.\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.machete\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.machete\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete" ], "report_names": [ "win.machete" ], "threat_actors": [ { "id": "d303c77e-0110-471b-a3a6-37fce9ac848d", "created_at": "2022-10-25T15:50:23.342452Z", "updated_at": "2026-04-10T02:00:05.373848Z", "deleted_at": null, "main_name": "Machete", "aliases": [ "APT-C-43", "El Machete" ], "source_name": "MITRE:Machete", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64", "created_at": "2023-01-06T13:46:38.605117Z", "updated_at": "2026-04-10T02:00:03.03665Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "G0095", "machete-apt", "APT-C-43" ], "source_name": "MISPGALAXY:El Machete", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6", "created_at": "2022-10-25T16:07:23.576476Z", "updated_at": "2026-04-10T02:00:04.674784Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "APT-C-43", "ATK 97", "G0095", "Operation HpReact", "TAG-NS1", "TEMP.Andromeda" ], "source_name": "ETDA:El Machete", "tools": [ "El Machete", "ForeIT", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Pyark" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434937, "ts_updated_at": 1775791496, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/154f7cd9c28a042bdbf562ddde83e5875f5ff144.pdf", "text": "https://archive.orkl.eu/154f7cd9c28a042bdbf562ddde83e5875f5ff144.txt", "img": "https://archive.orkl.eu/154f7cd9c28a042bdbf562ddde83e5875f5ff144.jpg" } }