Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 16:31:25 UTC
Home > List all groups > List all tools > List all groups using tool Machete
 Tool: Machete
Names
Machete
El Machete
Category Malware
Type Reconnaissance, Backdoor, Info stealer, Credential stealer
Description
According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe
components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A
single configuration file, jer.dll, is dropped, and it contains base64-encoded text that
corresponds to AES-encrypted strings.
GoogleCrash.exe is the main component of the malware. It schedules execution of the
other two components and creates Windows Task Scheduler tasks to achieve persistence.
Regarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi
networks and sends it to the Mozilla Location Service API. In short, this application
provides geolocation coordinates when it’s given other sources of data such as Bluetooth
beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and
longitude coordinates to build a Google Maps URL.
The GoogleUpdate.exe component is responsible for communicating with the remote
C&C server. The configuration to set the connection is read from the jer.dll file: domain
name, username and password. The principal means of communication for Machete is
via FTP, although HTTP communication was implemented as a fallback in 2019.
Information
MITRE ATT&CK Malpedia AlienVault OTX https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc
Page 1 of 2

Last change to this tool card: 14 May 2020
Download this tool card in JSON format
All groups using tool Machete
Changed Name Country Observed
APT groups
  El Machete [Unknown] 2010-Mar 2022  
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0abfd804-c6f6-483e-987b-3714073798bc
Page 2 of 2