{
	"id": "cb75f5fa-87b1-4287-98d9-c3925794b060",
	"created_at": "2026-04-06T00:21:59.700667Z",
	"updated_at": "2026-04-10T03:24:56.402528Z",
	"deleted_at": null,
	"sha1_hash": "857fdda2b98ea0bad1d22ea22960c1bc4ec120d0",
	"title": "El Machete - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61725,
	"plain_text": "El Machete - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:05:57 UTC\r\n APT group: El Machete\r\nNames\r\nEl Machete (Kaspersky)\r\nTEMP.Andromeda (FireEye)\r\nAPT-C-43 (Qihooo 360)\r\nATK 97 (Thales)\r\nTAG-NS1 (Recorded Future)\r\nG0095 (MITRE)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription\r\n(Kaspersky) “Machete” is a targeted attack campaign with Spanish speaking roots.\r\nWe believe this campaign started in 2010 and was renewed with an improved\r\ninfrastructure in 2012. The operation may be still “active”.\r\nThe malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake Blog website. We have found no\r\nevidence of exploits targeting zero-day vulnerabilities. Both the attackers and the\r\nvictims appear to be Spanish-speaking.\r\nIn some cases, such as Russia, the target appears to be an embassy from one of the\r\ncountries of this list.\r\nObserved\r\nSectors: Defense, Education, Embassies, Energy, Government, Telecommunications.\r\nCountries: Argentina, Belgium, Bolivia, Brazil, Canada, China, Colombia, Cuba,\r\nDominican Republic, Ecuador, France, Germany, Guatemala, Malaysia, Mexico,\r\nNicaragua, Peru, Russia, South Korea, Spain, Sweden, UK, Ukraine, USA,\r\nVenezuela and others.\r\nTools used LokiBot, Machete, Pyark, Living off the Land.\r\nOperations performed Mar 2017 We’ve found that this group has continued to operate successfully,\r\npredominantly in Latin America, since 2014. All attackers simply\r\nmoved to new C2 infrastructure, based largely around dynamic DNS\r\ndomains, in addition to making minimal changes to the malware in\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=833458a9-a8a0-4efb-be06-d5ef87b6b842\r\nPage 1 of 2\n\norder to evade signature-based detection.\nMar 2019\nFrom the end of March up until the end of May 2019, ESET\nresearchers observed that there were more than 50 victimized\ncomputers actively communicating with the C\u0026C server. This amounts\nto gigabytes of data being uploaded every week.\nJun 2020\nOperation “HpReact”\nIn June 2020, 360 Security Center discovered a new backdoor Pyark\nwritten in Python by the fileless attack protection function.\nMar 2022\nIn mid-March, El Machete was spotted sending spear-phishing emails\nto financial organizations in Nicaragua, with an attached Word\ndocument titled “Dark plans of the neo-Nazi regime in Ukraine.”\nInformation MITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=833458a9-a8a0-4efb-be06-d5ef87b6b842\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=833458a9-a8a0-4efb-be06-d5ef87b6b842\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=833458a9-a8a0-4efb-be06-d5ef87b6b842"
	],
	"report_names": [
		"showcard.cgi?u=833458a9-a8a0-4efb-be06-d5ef87b6b842"
	],
	"threat_actors": [
		{
			"id": "d303c77e-0110-471b-a3a6-37fce9ac848d",
			"created_at": "2022-10-25T15:50:23.342452Z",
			"updated_at": "2026-04-10T02:00:05.373848Z",
			"deleted_at": null,
			"main_name": "Machete",
			"aliases": [
				"APT-C-43",
				"El Machete"
			],
			"source_name": "MITRE:Machete",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64",
			"created_at": "2023-01-06T13:46:38.605117Z",
			"updated_at": "2026-04-10T02:00:03.03665Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"G0095",
				"machete-apt",
				"APT-C-43"
			],
			"source_name": "MISPGALAXY:El Machete",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6",
			"created_at": "2022-10-25T16:07:23.576476Z",
			"updated_at": "2026-04-10T02:00:04.674784Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"APT-C-43",
				"ATK 97",
				"G0095",
				"Operation HpReact",
				"TAG-NS1",
				"TEMP.Andromeda"
			],
			"source_name": "ETDA:El Machete",
			"tools": [
				"El Machete",
				"ForeIT",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"Pyark"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434919,
	"ts_updated_at": 1775791496,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/857fdda2b98ea0bad1d22ea22960c1bc4ec120d0.pdf",
		"text": "https://archive.orkl.eu/857fdda2b98ea0bad1d22ea22960c1bc4ec120d0.txt",
		"img": "https://archive.orkl.eu/857fdda2b98ea0bad1d22ea22960c1bc4ec120d0.jpg"
	}
}