{
	"id": "e05fba14-7292-4001-a350-413a87a31df4",
	"created_at": "2026-04-06T00:09:32.071864Z",
	"updated_at": "2026-04-10T03:24:56.401229Z",
	"deleted_at": null,
	"sha1_hash": "414c09b6b48165e17890931281e78df184d4ddea",
	"title": "“El Machete”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1124467,
	"plain_text": "“El Machete”\r\nBy GReAT\r\nPublished: 2014-08-20 · Archived: 2026-04-02 11:58:59 UTC\r\nIntroduction\r\nSome time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and\r\nsuspected his machine was infected with an unknown, undetected malware. While assisting the customer, we\r\nfound a very interesting file in the system that is completely unrelated to China and contained no Chinese coding\r\ntraces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was\r\nsomething more than just a simple Java file.  It was a targeted attack we are calling “Machete”.\r\nWhat is “Machete”?\r\n“Machete” is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010\r\nand was renewed with an improved infrastructure in 2012. The operation may be still “active”.\r\nThe malware is capable of the following cyber-espionage operations:\r\nLogging keystrokes\r\nCapturing audio from the computer’s microphone\r\nCapturing screenshots\r\nCapturing geolocation data\r\nTaking photos from the computer’s web camera\r\nCopying files to a remote server\r\nCopying files to a special USB device if inserted\r\nHijjacking the clipboard and capturing information from the target machine\r\nTargets of “Machete”\r\nhttps://securelist.com/el-machete/66108/\r\nPage 1 of 7\n\nMost of the victims are located in, Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain, among others.\r\nIn some cases, such as Russia, the target appears to be an embassy from one of the countries of this list.\r\nTargets include high-level profiles, including intelligence services, military, embassies and government\r\ninstitutions.\r\nHow does “Machete” operate?\r\nThe malware is distributed via social engineering techniques, which includes spear-phishing emails and infections\r\nvia Web by a fake Blog website. We have found no evidence of of exploits targeting zero-day vulnerabilities. Both\r\nthe attackers and the victims appear to be Spanish-speaking.\r\nhttps://securelist.com/el-machete/66108/\r\nPage 2 of 7\n\nDuring this investigation, we also discovered many other the files installing this cyber-espionage tool in what\r\nappears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs\r\nthe malware on the target system once the file is opened.  These are the names of the PowerPoint attachments:\r\nHermosa XXX.pps.rar\r\nSuntzu.rar\r\nEl arte de la guerra.rar\r\nHot brazilian XXX.rar\r\nThese files are in reality Nullsoft Installer self-extracting archives and have compilation dates going back to 2008.\r\nA consequence of the embedded  Python code inside the executables is that these installers include all the\r\nnecessary Python libraries as well as the PowerPoint file shown to the victim during the installation. The result is\r\nextremely large files, over 3MB.\r\nHere are some screnshots of the mentioned files:\r\nhttps://securelist.com/el-machete/66108/\r\nPage 3 of 7\n\nA technical relevant fact about this campaign is the use of Python embedded into Windows executables of the\r\nmalware. This is very unusual and does not have any advantage for the attackers except ease of coding. There is\r\nno multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered\r\nseveral clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to\r\nWindows components, we also found a mobile (Android) component.\r\nBoth attackers and victims speak Spanish natively, as we see it consistently in the source code of the client side\r\nand in the Python code.\r\nIndicators of Compromise\r\nhttps://securelist.com/el-machete/66108/\r\nPage 4 of 7\n\nWeb infections\r\nThe following code snippets were found into the HTML of websites used to infect victims:\r\nNote: Thanks to Tyler Hudak from Korelogic who noticed that the above HTML is copy pasted from SET, The\r\nSocial Engineering Toolkit (https://www.trustedsec.com/downloads/social-engineer-toolkit/).\r\nAlso the following link to one known infection artifact:\r\nhxxp://name.domain.org/nickname/set/Signed_Update.jar\r\nDomains\r\nThe following are domains found during the infection campaign. Any communication with them must be\r\nconsidered extremely suspicious\r\njava.serveblog.net\r\nagaliarept.com\r\nfrejabe.com\r\ngrannegral.com\r\nplushbr.com\r\nxmailliwx.com\r\nhttps://securelist.com/el-machete/66108/\r\nPage 5 of 7\n\nblogwhereyou.com (sinkholed by Kaspersky Lab)\r\ngrannegral.com (sinkholed by Kaspersky Lab)\r\nInfection artifacts\r\nMD5 Filename\r\n61d33dc5b257a18eb6514e473c1495fe AwgXuBV31pGV.eXe\r\nb5ada760476ba9a815ca56f12a11d557 EL ARTE DE LA GUERRA.exe\r\nd6c112d951cb48cab37e5d7ebed2420b Hermosa XXX.rar\r\ndf2889df7ac209e7b696733aa6b52af5 Hermosa XXX.pps.rar\r\ne486eddffd13bed33e68d6d8d4052270 Hermosa XXX.pps.rar\r\ne9b2499b92279669a09fef798af7f45b Suntzu.rar\r\nf7e23b876fc887052ac8e2558f0d6c38 Hot Brazilian XXX.rar\r\nb26d1aec219ce45b2e80769368310471 Signed_Update.jar\r\nTraces on infected machines\r\nCreates the file Java Update.lnk pointing to appdata/Jre6/java.exe\r\nMalware is installed in appdata/ MicroDes/\r\nRunning processes Creates Task Microsoft_up\r\nHuman part of “Machete”\r\nLanguage\r\nThe first evidence is the language used, both for the victims and attackers, is Spanish.\r\nThe victims are all Spanish speaking according to the filenames of the stolen documents.\r\nThe language is also Spanish for the operators of the campaign, we can find all the server side code written in this\r\nlanguage: reportes, ingresar, peso, etc.\r\nConclusion\r\nThe “Machete” discovery shows there are many regional  players in the world of targeted attacks. Unfortunately,\r\nsuch attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are\r\nother parallel targeted attacks running now in Latin America and other regions.\r\nKaspersky Lab products detect malicious samples related to this targeted attack as Trojan-Spy.Python.Ragua.\r\nhttps://securelist.com/el-machete/66108/\r\nPage 6 of 7\n\nNote: A full analysis of the Machete attacks is available to the Kaspersky Intelligent Services customers.\r\nContact: intelreports@kaspersky.com\r\nSource: https://securelist.com/el-machete/66108/\r\nhttps://securelist.com/el-machete/66108/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://securelist.com/el-machete/66108/"
	],
	"report_names": [
		"66108"
	],
	"threat_actors": [
		{
			"id": "d303c77e-0110-471b-a3a6-37fce9ac848d",
			"created_at": "2022-10-25T15:50:23.342452Z",
			"updated_at": "2026-04-10T02:00:05.373848Z",
			"deleted_at": null,
			"main_name": "Machete",
			"aliases": [
				"APT-C-43",
				"El Machete"
			],
			"source_name": "MITRE:Machete",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64",
			"created_at": "2023-01-06T13:46:38.605117Z",
			"updated_at": "2026-04-10T02:00:03.03665Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"G0095",
				"machete-apt",
				"APT-C-43"
			],
			"source_name": "MISPGALAXY:El Machete",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6",
			"created_at": "2022-10-25T16:07:23.576476Z",
			"updated_at": "2026-04-10T02:00:04.674784Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"APT-C-43",
				"ATK 97",
				"G0095",
				"Operation HpReact",
				"TAG-NS1",
				"TEMP.Andromeda"
			],
			"source_name": "ETDA:El Machete",
			"tools": [
				"El Machete",
				"ForeIT",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"Pyark"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775791496,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/414c09b6b48165e17890931281e78df184d4ddea.pdf",
		"text": "https://archive.orkl.eu/414c09b6b48165e17890931281e78df184d4ddea.txt",
		"img": "https://archive.orkl.eu/414c09b6b48165e17890931281e78df184d4ddea.jpg"
	}
}