{
	"id": "c1123107-a988-4e49-89d3-5d43d5c2a383",
	"created_at": "2026-04-06T00:22:21.097269Z",
	"updated_at": "2026-04-10T13:12:52.579314Z",
	"deleted_at": null,
	"sha1_hash": "a483a36210f0eb3aee989f60cafd830d07ec25ef",
	"title": "El Machete APT Group - Brandefense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1648595,
	"plain_text": "El Machete APT Group - Brandefense\r\nPublished: 2022-08-01 · Archived: 2026-04-05 14:08:24 UTC\r\nAugust 1, 2022\r\n4:41 pm\r\nEl Machete APT Group\r\nThreat Actor ID\r\nGrup Adı El Machete,\r\nCountry USA\r\nFirst Seen 2014\r\nMotivation Information theft and espionage\r\nMethods Malware, Spearphishing\r\nOther Names APT-C-43\r\nVision, Mission, and Motivation\r\nMachete is a South American-based APT group operating since 2010. They are also known as APT-C-43. Attacks\r\naffecting many countries, especially Latin America, are carried out against high-profile organizations such as\r\ngovernment agencies, law enforcement, telecommunications, and energy companies. Information theft and espionage are\r\nthe primary motivations for the attacks. Various activities are carried out, such as capturing screenshots from\r\ncompromised devices, capturing geolocation data, accessing webcams, copying sensitive data to a remote server, and\r\nkeylogging.\r\nThe group, which frequently uses social engineering techniques such as including malware-laden documents and links in\r\nfake e-mails, is known to conduct extensive intelligence work on the target before carrying out the attack. It has been\r\ndetermined that actual military documents were used in phishing attacks by threat actors.\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 1 of 13\n\nFigure 1: Forged documents belong to El-machete\r\nApproximately 75 false documents belonging to the threat actor group were identified. The themes of the forged\r\ndocuments, which were mostly found to have been seized from previous attacks and repurposed for targeted phishing\r\nattacks, were related to military information ranging from national-level political issues concerning the victims and\r\npersonnel assignments. It has also been observed that threat actors exploit the victim’s sense of fear and panic by using\r\nthemes such as debt collection and subpoenas. As a result of the metadata analysis of these documents, it has been\r\nreported that they were created in 2000, 2006, 2011, 2013, 2014, 2015, 2016, and 2017.\r\nThe graphic below shows the format information and usage rate of the documents used by the threat actors.\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 2 of 13\n\nFigure 2: Format information and usage rate of the documents used by El-machete apt group\r\nTargeted Countries\r\nUpon the analysis of the documents used by the group, it was determined that the papers were primarily prepared in\r\nSpanish and Portuguese, and there were Spanish scripts in the malware used. It is possible to deduce that the Machete\r\nAPT group explicitly targets countries that use these two languages.\r\nFigure 3: Spanish code example\r\nThe countries where the cyber espionage group operates, which generally targets Latin American countries with\r\neffective spearphishing techniques, are as follows.\r\nVenezuelan\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 3 of 13\n\nRussia\r\nCuba\r\nChinese\r\nBelgium\r\nEcuador\r\nBrazil\r\nSpain\r\nFrance\r\nColombia\r\nPeru\r\nSweden\r\nUnited States of America\r\nMalaysia\r\nFigure 4: Targeted countries\r\nOperations\r\nThe group, which carried out a China-focused attack in 2014, forwarded Hermosa XXX.pps.rar, Suntzu.rar, El\r\nArte de la guerra.rar, and Hot Brazilian XXX.rar files to its victims via fake e-mails. It was determined that the\r\nfiles with a total size of 3 MB and loaded with malware were created in 2008. When the attack targeting the\r\nWindows operating system was analyzed, clues were obtained that the attackers developed their infrastructure for\r\nMac OS X and Android.\r\nBy 2018, a concealment layer was included in the malware used in attacks against targets, using Zlib\r\ncompression and base64 algorithm. In this way, most security products could not detect the updated malware to\r\nincrease the success rate in targeted attacks.\r\nIn 2019, threat actors carried out an attack targeting the Venezuelan army. The phishing attack by threat actors\r\nhas attracted attention due to the use of verified military documents obtained from previous episodes. After the\r\nattack, the group obtained sensitive data belonging to the army.\r\nBy 2022, the group targeted government institutions, energy, and finance sectors in Venezuela, Israel, Saudi\r\nArabia, and Pakistan, using official documents on the ongoing war between Ukraine and Russia. Threat actors\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 4 of 13\n\ncontinued their espionage campaigns, using phishing techniques, screen capture, keylogging, and transmitting\r\nmalware-laden documents that allow command execution on compromised systems to targets.\r\nTTPs \u0026 Attack Lifecycle\r\nThreat actors follow a series of stages that make up the attack lifecycle when they devise specific strategies to infiltrate\r\nan organization’s network and capture data. These stages are called techniques, tactics, and procedures (TTPs). It is\r\nessential to understand the techniques, tactics, and procedures to determine the purpose and motivations of threat actors\r\nand to ensure data and network security against actual attacks.\r\nThis part of the content includes techniques, tactics, and procedures belonging to the APT-C-43 group.\r\nTactic Tactic ID Technique\r\nInitial Access T1192T1193 • Spearphishing Link•Spearphishing Attachment\r\nExecution T1204T1053 • User Execution•Scheduled Task\r\nPersistence T1158T1053 • Hidden Files and Directories•Scheduled Task\r\nDefense Evasion\r\nT1027T1045\r\nT1036\r\n• Obfuscated Files or Information•Software Packing\r\n• Masquerading\r\nCredential Access T1145T1081 • Private Keys•Credentials in Files\r\nDiscovery\r\nT1049\r\nT1120\r\nT1083\r\nT1217\r\nT1010\r\n• System Network Connections Discovery\r\n• Peripheral Device Discovery\r\n• File and Directory Discovery\r\nProcess Discovery\r\n• Browser Bookmark Discovery\r\n• Application Window Discovery\r\nCollection\r\nT1115T1005\r\nT1025\r\nT1056\r\nT1113\r\nT1074\r\n• Clipboard Data•Data from Local System\r\n• Data from Removable Media\r\n• Input Capture\r\n• Screen Capture\r\n• Data Staged\r\nCommand and\r\nControl\r\nT1008T1105 • Fallback Channels•Remote File Copy\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 5 of 13\n\nT1071 • Standard Application Layer Protocol\r\nExfiltration\r\nT1020T1041\r\nT1052\r\nT1029\r\n• Automated Exfiltration•Exfiltration Over Command and\r\nControl Channel\r\n• Exfiltration Over Physical Medium\r\n• Scheduled Transfer\r\nIndicator of Compromises\r\nGoogleUpdate.exe\r\nHash(SHA1) Definition\r\n048C40EB606DA3DEF08C9F6997C1948AFBBC959B Python/Machete.F\r\n2E8D8508096CAA38493414F6BA788D0041EA9E15 Python/Machete.F\r\n85BDD7D871108C737701AC30C14A2D343CBDEF94 Python/Machete.D\r\n8ED8CB784512F7DADD147347FC94E945FAF16338 Python/Machete.F\r\n9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E Python/Machete.A\r\nAB8DD6B0CC950618589603012863B57F7ADB9D9B Python/Machete.A\r\nChrome.exe\r\nHash(SHA1) Definition\r\n318496B58CF5052EFD49A95C721D9165278E9FCE Python/Machete.B\r\n3BB345032B6D0226D6771BA65FE4DA0FAF628631 Python/Machete.B\r\n946A24DFBD0AE94209EF7C284D3F462548566A3C Python/Machete.B\r\n984B9202A6DBD7D3DD696CAE1220338A68092DC9 Python/Machete.B\r\nEABD45D0A86113F5CCFF9FD292C1E482A5727815 Python/Machete.B\r\nF05BC018C90B560DC4932758956ADFFBC10588CE Python/Machete.B\r\nGoogleCrash.exe\r\nHash(SHA1) Definition\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 6 of 13\n\n204A2850548E5994D4696E9002F90DFCCBE2093A Python/Machete.C\r\n3792588EDC809270E6666A4677EC85A3400BA4CF Python/Machete.E\r\n4899A2C2CECEB92D2CC4ED17D092D1D599379284 Python/Machete.A\r\nA42756280AA352F4612BED85AABF7F3267E676C2 Python/Machete.E\r\nA97CF05AD7F3102BDE45E4B4947ED435EFEA1968 Python/Machete.E\r\nRAR/7z SFX: Config + Payload\r\nHash(SHA1) Definition\r\n00397DA69B8E748720AEDFD80D78166573C33EC8 ders.exe\r\n03929A5530639C1D9DBD395A298C59FD7EFF1DEC chrome.sfx.exe\r\n0922DEFB82FF1140BBE3481BAB27564BB966D50B ChrOme_UpdAte.sfx.exe\r\n0AC64E08E63601AD9D6A4EF019E5B374784AF80A chrome.sfx.exe\r\n0BA5BCE133B50EF80FD9241C3EA5CB9135CA4EB1 ders.exe\r\n161629F63422AB34108854662313F87A278DD7F5 chrome.sfx.exe\r\n24752DAB28C3ADD4C31591F2EC480CE3CA83E0AA python27.exe\r\n341F2EFA0FD11B4480D8503BFB81C62AF667D72D chrome_Up.sfx.exe\r\n4C130AA110B290A0CF4FF1C099EA2A705081A9CB Chrome_Update.sfx.exe\r\n50C23690C23EE070AD3A20FCED7311BFDF098833 ders.exe\r\n67ECBC1E9A66719C599E6DDED33A85F70DACA13E chrome.sfx.exe\r\n6A69A2A2D4A2F8690B71386F0F092B04EA5A647D ChrOme_UpdAte.sfx.exe\r\n92C56AF6815597C0135C21EF5A35D41B0E2A460F Python_27.exe\r\n9E52E1C015B97D4FB2CAC888F8FC69D729AF78F5 finaser.aes\r\nA48A71B9D1C00A683397F97C02E0DBB3F4606863 ders.exe\r\nB6E436A0FFF117A1C3D3D70947F62D4CAC66C95E ders.exe\r\nC4ACCF6071F51ADE102190C6FA350435FC202654 Python.27.exe\r\nD5238CDE036EEFCC6D8D686B3A00247F27DA894C Python.27.exe\r\nDDA105D8D894F73B16518D546270E4F783CB5178 python27.exe\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 7 of 13\n\nE85C1EF38C39B6087EA9AC8171DDD1416B9A5306 python27.exe\r\nFD52B10E9D4E5D343E589627444A6766357D5E47 Security.exe\r\n7z SFX: Decoy C+ Downloader\r\nHash(SHA1) Definition\r\n52B680F472AE463436979DA325DB7AD64D5AF1EF Mapa_monitoreo_WRF_ind02052018.scr\r\n69109287D41C002FA70BB3D6238C4056B2B24B2F Mapa_monitoreo_WRF_ind02052018.scr\r\n89C0FDEED36A69099E935A590A103339B0CBE525 Mapa_monitoreo_WRF_ind02052018.scr\r\n9EA7832D83C74C839A49580B4211E627A24571BE Programa Formacion en Contratacion Publica.scr\r\nBFD0CBEF5B9C329792B38274474F04BD8109DF66 RGMA0_1_629.scr\r\nFB871AACA0DDCF2F009A2D11ECF672CFB61B7357 CALENDARIO_ACTIVIDADES_COLCO_EC.scr\r\nFDE89FCEC30FCAABB3D42ED87180843F3E760CD8 Mapa_monitoreo_WRF_ind02052018.scr\r\nRAR SFX: URL Config + Downloader\r\nHash(SHA1) Definition\r\n9912BDBE08179122DC3797A2585D463573D1B5A5 04Down.exe\r\nAB16808B5B4706B6265C5FF5FEF8B8460C8A51F8 4Down.sfx.exe\r\nBDAAB0B356EC9FE61FEE1723E1DD52E39DDC6699 04Down.exe\r\nDED6509458DF62D3CE60C68F3A2A87E59F1F96BE Down.sfx.exe\r\nDownloader\r\nHash(SHA1) Definition\r\n2B7404F6B0075BC1192D61D4AF135D521D5F08A3 RdrCEF.exe\r\n53102E57B40FEACB64566C26D101D9242DECE77C Down.exe\r\n56E8743E0773286A4B9E055147D96D53A43BECA1 Down.exe\r\n71F69F04307C8F5675DCADEAA80B8C2B95691B01 Down.exe\r\n904137B61F1DED66C8CA76EBF198DEC1B638B5D4 Down.exe\r\nFBB485B40477F5A014E7096747B1B4A494CE50EF Down.exe\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 8 of 13\n\n_hashlbi.pyw\r\nHash(SHA1) Definition\r\n1B3723651E1D321D4F34F2A243D7751D17288257 Python/Machete.G\r\n7FFB9C7DA20C536B694E78538B65726EACB1B055 Python/Machete.G\r\nB1ADF4B46350FB801CE54DA9C93A4EF79674F3F5 Python/Machete.G\r\n_bsdbd.pyw\r\nHash(SHA1) Definition\r\n0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3 Python/Machete.G\r\n314D9B4C25DD69453D86E4C7062DCE6DEDDA0533 Python/Machete.G\r\nD4CF22F3DB78BDC1CEB55431857D88166CE677D4 Python/Machete.G\r\n_clypes.pyw\r\nHash(SHA1) Definition\r\n26FB301AF7393B5E564B8C802F5795EDEBD7CECF Python/Machete.G\r\n979859B5A177650EF0549C81FD66D36E9DEA8078 Python/Machete.G\r\nA07E38DF9887EA7811369CD72C57FD6D44523CD6 Python/Machete.G\r\n_elementree.pyw\r\nHash(SHA1) Definition\r\n07E383E9FF04F587769845306DC4BFE75630BAAA Python/Machete.G\r\n3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3 Python/Machete.G\r\n56765B7511372A8E9BE017F48A764D141F485474 Python/Machete.G\r\nCF2DC40926D8747AEC572DFD711BBFD766AADB10 Python/Machete.G\r\n_mssi.pyw\r\nHash(SHA1) Definition\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 9 of 13\n\n6B42091CA2F89A59F4E27E30ACDACF32EB83F824 Python/Machete.G\r\n708F159F2CFE22FF0C4464F2FEDAA0501868BDD8 Python/Machete.G\r\nDE639618B550DBE9071E999AAA5B4FC81F63A5A6 Python/Machete.G\r\n_multiproccessing.pyw\r\nHash(SHA1) Definition\r\n0B6F61AF3E2C6551F15E0F888177EEC91F20BA99 Python/Machete.G\r\n76AABC0AF5D487A80BCBA19555191B46766139FA Python/Machete.G\r\n7FF87649CA1D9178A02CD9942856D1B590652C6E Python/Machete.G\r\n8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D Python/Machete.G\r\n8AF19AA3F18CB35F12EE3966931E11799C3AC5A4 Python/Machete.G\r\nE1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD Python/Machete.G\r\nDomains\r\nkoliast[.]com\r\ntobabean[.]expert\r\nu929489355.hostingerapp[.]com\r\nu154611594.hostingerapp[.]com\r\n6e24a5fb.ngrok[.]io\r\nf9527d03.ngrok[.]io\r\nadtiomtardecessd.zapto[.]org\r\nmcsi.gotdns[.]ch\r\ndjcaps.gotdns[.]ch\r\ntokeiss.ddns[.]net\r\nartyomt[.]com\r\nlawyersofficial.mipropia[.]com\r\nceofanb18.mipropia[.]com\r\nIP Addresses\r\n185[.]224[.]137[.]63\r\n156[.]67[.]222[.]88\r\n158[.]69[.]9[.]209\r\n142[.]44[.]236[.]215\r\n199[.]79[.]63[.]188\r\n109[.]61[.]164[.]33\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 10 of 13\n\nRecommendations \u0026 Mitigations\r\nAttacks by threat actors negatively affect the brand integrity of institutions/organizations by violating the security of\r\nsystems. The measures that can be taken by an institution to ensure the security of critical data and minimize all risks are\r\nas follows:\r\nTo ensure the security of the accounts used against brute force attacks, strong passwords should be created, and\r\neach password created should be platform-specific. In addition, it is recommended to enable multi-factor\r\nprotection on accounts used whenever possible. This will provide an extra layer of security.\r\nE-mails and links that are considered suspicious should not be trusted. As seen in the Machete APT group we\r\ncovered in the blog post, forwarding malware-laden documents to victims via fake emails is a social engineering\r\ntechnique frequently used by threat actors. In addition, to be protected from possible social engineering attacks, it\r\nis important to raise awareness and train the personnel of the institution/organization on this issue.\r\nMake sure that the software used is up-to-date. Threat actors can compromise systems by using out-of-date\r\nvulnerable applications and software.\r\nProvided software and applications from reliable sources, unknown websites should be avoided.\r\nComprehensive security products such as firewalls and antivirus programs should be used in order to be protected\r\nfrom possible attacks and to ensure the security of sensitive data. These products will protect individuals and\r\ninstitutions from various risks, such as malware and phishing attacks, or reduce the effects of attacks.\r\nConclusion\r\nThe Machete APT group carries out carefully prepared attacks on targets that can be considered very important, although\r\nmany threat actors are less known than the group. Although it has not been found to exploit any zero-day vulnerabilities,\r\nthe group carries out cyber-attacks with advanced phishing techniques and malware after performing extensive\r\nintelligence work on the target and gathering information.\r\nThe Brandefense Threat Intelligence Team prepared this post, and it aims to raise awareness against cyber attacks carried\r\nout by Machete and similar threat actors. It is thought that it will be effective and useful to benefit from this post, which\r\nhas been prepared so that potential targets can correctly determine the necessary precautions and priorities.\r\nDownload the IoCs from Brandefense Github Repository.\r\nShare This:\r\nCategories\r\nAPT Groups\r\nBlog\r\nDark Web\r\nDRPS\r\nFraud\r\nRansomware\r\nSector Analysis\r\nSecurity News\r\nVIP Security\r\nWe In The Press\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 11 of 13\n\nWeekly Newsletter\r\nLatest News\r\nMFA Doesn't Protect You — Cookies Give You Away: The Rise of Session Hijacking\r\nFake Mobile App: How Is Your Clone on the App Store Stealing Your Users?\r\nUAC-0102: Inside a Covert Espionage Operation Targeting Ukraine and Beyond\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 12 of 13\n\nInside the Operations of Crazy Evil: The Rise of a Global Crypto-Focused Cybercrime Network\r\n1 Million User Records Exposed: A Deep Dive into the Komiko AI App Data Breach\r\nFollow Us on Social Media!\r\nSource: https://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nhttps://brandefense.io/blog/apt-groups/el-machete-apt-group/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://brandefense.io/blog/apt-groups/el-machete-apt-group/"
	],
	"report_names": [
		"el-machete-apt-group"
	],
	"threat_actors": [
		{
			"id": "d303c77e-0110-471b-a3a6-37fce9ac848d",
			"created_at": "2022-10-25T15:50:23.342452Z",
			"updated_at": "2026-04-10T02:00:05.373848Z",
			"deleted_at": null,
			"main_name": "Machete",
			"aliases": [
				"APT-C-43",
				"El Machete"
			],
			"source_name": "MITRE:Machete",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64",
			"created_at": "2023-01-06T13:46:38.605117Z",
			"updated_at": "2026-04-10T02:00:03.03665Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"G0095",
				"machete-apt",
				"APT-C-43"
			],
			"source_name": "MISPGALAXY:El Machete",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6",
			"created_at": "2022-10-25T16:07:23.576476Z",
			"updated_at": "2026-04-10T02:00:04.674784Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"APT-C-43",
				"ATK 97",
				"G0095",
				"Operation HpReact",
				"TAG-NS1",
				"TEMP.Andromeda"
			],
			"source_name": "ETDA:El Machete",
			"tools": [
				"El Machete",
				"ForeIT",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"Pyark"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "61c16af3-1c0e-449d-bc0e-60ae3f49dd9f",
			"created_at": "2024-07-28T02:00:04.69478Z",
			"updated_at": "2026-04-10T02:00:03.681909Z",
			"deleted_at": null,
			"main_name": "UAC-0102",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0102",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a483a36210f0eb3aee989f60cafd830d07ec25ef.pdf",
		"text": "https://archive.orkl.eu/a483a36210f0eb3aee989f60cafd830d07ec25ef.txt",
		"img": "https://archive.orkl.eu/a483a36210f0eb3aee989f60cafd830d07ec25ef.jpg"
	}
}