# Machete **attack.mitre.org/groups/G0095/** [Machete is a suspected Spanish-speaking cyber espionage group that has been active](https://attack.mitre.org/groups/G0095) since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete generally targets high-profile organizations such as government institutions,](https://attack.mitre.org/groups/G0095) intelligence services, and military units, as well as telecommunications and power [companies.[1][2][3][4]](https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html) ## ID: G0095 ⓘ ## Associated Groups: APT-C-43, El Machete Contributors: Matias Nicolas Porolli, ESET Version: 2.0 Created: 13 September 2019 Last Modified: 06 October 2021 [Version Permalink](https://attack.mitre.org/versions/v11/groups/G0095/) [Live Version](https://attack.mitre.org/versions/v11/groups/G0095/) ## Associated Group Descriptions **Name** **Description** [[4]](https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/) APT-C-43 [[1]](https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html) El Machete |Name|Description| |---|---| |APT-C-43|[4]| ----- ## Techniques Used |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |Enterprise|T1059|.003|Command and Scripting Interpreter: Windows Command Shell|Machete has used batch files to initiate additional downloads of malicious files.[4]| |||.005|Command and Scripting Interpreter: Visual Basic|Machete has embedded malicious macros within spearphishing attachments to download additional files.[4]| |||.006|Command and Scripting Interpreter: Python|Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python. [1][3][4]| |Enterprise|T1189|Drive-by Compromise|Machete has distributed Machete through a fake blog website.[2]|| |Enterprise|T1036|.005|Masquerading: Match Legitimate Name or Location|Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.[4]| |Enterprise|T1566|.001|Phishing: Spearphishing Attachment|Machete has delivered spearphishing emails that contain a zipped file with malicious contents. [2][3][4]| |||.002|Phishing: Spearphishing Link|Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives. [1][3]| ----- |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |Enterprise|T1053|.005|Scheduled Task/Job: Scheduled Task|Machete has created scheduled tasks to maintain Machete's persistence.[4]| |Enterprise|T1218|.007|System Binary Proxy Execution: Msiexec|Machete has used msiexec to install the Machete malware.[4]| |Enterprise|T1204|.001|User Execution: Malicious Link|Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.[1][2][3]| |||.002|User Execution: Malicious File|Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.[1][2][3][4]| ## Software |ID|Name|References|Techniques| |---|---|---|---| ----- **ID** **Name** **References** **Techniques** [[2][3]](https://securelist.com/el-machete/66108/) [S0409](https://attack.mitre.org/software/S0409) [Machete](https://attack.mitre.org/software/S0409) [Application Layer Protocol:](https://attack.mitre.org/techniques/T1071) [Web Protocols,](https://attack.mitre.org/techniques/T1071/001) Application Layer Protocol: [File Transfer Protocols,](https://attack.mitre.org/techniques/T1071/002) Application Window Discovery, [Archive Collected Data:](https://attack.mitre.org/techniques/T1560) Archive via Custom Method, [Archive Collected Data,](https://attack.mitre.org/techniques/T1560) Audio Capture, [Automated Exfiltration,](https://attack.mitre.org/techniques/T1020) Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, [Browser Bookmark Discovery,](https://attack.mitre.org/techniques/T1217) [Clipboard Data,](https://attack.mitre.org/techniques/T1115) [Command and Scripting Interpreter:](https://attack.mitre.org/techniques/T1059) [Python,](https://attack.mitre.org/techniques/T1059/006) [Credentials from Password Stores:](https://attack.mitre.org/techniques/T1555) Credentials from Web Browsers, [Data Encoding:](https://attack.mitre.org/techniques/T1132) [Standard Encoding,](https://attack.mitre.org/techniques/T1132/001) [Data from Local System,](https://attack.mitre.org/techniques/T1005) [Data from Removable Media,](https://attack.mitre.org/techniques/T1025) [Data Staged:](https://attack.mitre.org/techniques/T1074) [Local Data Staging,](https://attack.mitre.org/techniques/T1074/001) Deobfuscate/Decode Files or Information, [Encrypted Channel:](https://attack.mitre.org/techniques/T1573) Symmetric Cryptography, [Encrypted Channel:](https://attack.mitre.org/techniques/T1573) Asymmetric Cryptography, [Exfiltration Over C2 Channel,](https://attack.mitre.org/techniques/T1041) Exfiltration Over Physical Medium: [Exfiltration over USB,](https://attack.mitre.org/techniques/T1052/001) Fallback Channels, [File and Directory Discovery,](https://attack.mitre.org/techniques/T1083) [Hide Artifacts:](https://attack.mitre.org/techniques/T1564) [Hidden Files and Directories,](https://attack.mitre.org/techniques/T1564/001) Indicator Removal on Host: [File Deletion,](https://attack.mitre.org/techniques/T1070/004) [Ingress Tool Transfer,](https://attack.mitre.org/techniques/T1105) Input Capture: [Keylogging,](https://attack.mitre.org/techniques/T1056/001) [Masquerading:](https://attack.mitre.org/techniques/T1036) Masquerade Task or Service, [Masquerading:](https://attack.mitre.org/techniques/T1036) Match Legitimate Name or Location, [Obfuscated Files or Information:](https://attack.mitre.org/techniques/T1027) Software Packing, [Obfuscated Files or Information,](https://attack.mitre.org/techniques/T1027) Peripheral Device Discovery, [Process Discovery,](https://attack.mitre.org/techniques/T1057) Scheduled Task/Job: [Scheduled Task,](https://attack.mitre.org/techniques/T1053/005) [Scheduled Transfer,](https://attack.mitre.org/techniques/T1029) Screen Capture, [System Information Discovery,](https://attack.mitre.org/techniques/T1082) System Network Configuration Discovery, System Network Connections Discovery, [Unsecured Credentials:](https://attack.mitre.org/techniques/T1552) [Private Keys,](https://attack.mitre.org/techniques/T1552/004) [Video Capture](https://attack.mitre.org/techniques/T1125) ## References The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. ESET. (2019, July). [MACHETE JUST GOT SHARPER Venezuelan government institutions under attack.](https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf) Retrieved September 13, 2019. kate. (2020, September 25). APT-C-43 steals Venezuelan [military secrets to provide intelligence support for the reactionaries — HpReact campaign.](https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/) Retrieved November 20, 2020. |S0409|Machete|[2][3]|Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Audio Capture, Automated Exfiltration, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Python, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exfiltration Over Physical Medium: Exfiltration over USB, Fallback Channels, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Scheduled Task/Job: Scheduled Task, Scheduled Transfer, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Unsecured Credentials: Private Keys, Video Capture| |---|---|---|---| -----