{
	"id": "00cb76b1-d9df-49e1-968a-8e67f0803343",
	"created_at": "2026-04-06T00:12:46.335072Z",
	"updated_at": "2026-04-10T13:11:54.376839Z",
	"deleted_at": null,
	"sha1_hash": "ac42ed3c1aebf100e958879d9a9e00e33085d7c7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50888,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:31:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Machete\n Tool: Machete\nNames\nMachete\nEl Machete\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Credential stealer\nDescription\nAccording to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe\ncomponents are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A\nsingle configuration file, jer.dll, is dropped, and it contains base64-encoded text that\ncorresponds to AES-encrypted strings.\nGoogleCrash.exe is the main component of the malware. It schedules execution of the\nother two components and creates Windows Task Scheduler tasks to achieve persistence.\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi\nnetworks and sends it to the Mozilla Location Service API. In short, this application\nprovides geolocation coordinates when it’s given other sources of data such as Bluetooth\nbeacons, cell towers or Wi-Fi access points. Then the malware takes latitude and\nlongitude coordinates to build a Google Maps URL.\nThe GoogleUpdate.exe component is responsible for communicating with the remote\nC\u0026C server. The configuration to set the connection is read from the jer.dll file: domain\nname, username and password. The principal means of communication for Machete is\nvia FTP, although HTTP communication was implemented as a fallback in 2019.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc\nPage 1 of 2\n\nLast change to this tool card: 14 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Machete\r\nChanged Name Country Observed\r\nAPT groups\r\n  El Machete [Unknown] 2010-Mar 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc"
	],
	"report_names": [
		"listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc"
	],
	"threat_actors": [
		{
			"id": "d303c77e-0110-471b-a3a6-37fce9ac848d",
			"created_at": "2022-10-25T15:50:23.342452Z",
			"updated_at": "2026-04-10T02:00:05.373848Z",
			"deleted_at": null,
			"main_name": "Machete",
			"aliases": [
				"APT-C-43",
				"El Machete"
			],
			"source_name": "MITRE:Machete",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64",
			"created_at": "2023-01-06T13:46:38.605117Z",
			"updated_at": "2026-04-10T02:00:03.03665Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"G0095",
				"machete-apt",
				"APT-C-43"
			],
			"source_name": "MISPGALAXY:El Machete",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6",
			"created_at": "2022-10-25T16:07:23.576476Z",
			"updated_at": "2026-04-10T02:00:04.674784Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"APT-C-43",
				"ATK 97",
				"G0095",
				"Operation HpReact",
				"TAG-NS1",
				"TEMP.Andromeda"
			],
			"source_name": "ETDA:El Machete",
			"tools": [
				"El Machete",
				"ForeIT",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"Pyark"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434366,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac42ed3c1aebf100e958879d9a9e00e33085d7c7.pdf",
		"text": "https://archive.orkl.eu/ac42ed3c1aebf100e958879d9a9e00e33085d7c7.txt",
		"img": "https://archive.orkl.eu/ac42ed3c1aebf100e958879d9a9e00e33085d7c7.jpg"
	}
}