{
	"id": "9b840ee1-ee65-4bed-9c3f-318665fdf395",
	"created_at": "2026-04-06T00:07:03.958799Z",
	"updated_at": "2026-04-10T03:23:26.842579Z",
	"deleted_at": null,
	"sha1_hash": "b2105fe6720ca339e9a28f55fecfe522c1f2c096",
	"title": "Sharpening the Machete",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 701841,
	"plain_text": "Sharpening the Machete\r\nBy ESET Research\r\nArchived: 2026-04-05 17:46:18 UTC\r\nLatin America is often overlooked when it comes to persistent threats and groups with politically motivated\r\ntargets. There is, however, an ongoing case of cyberespionage against high-profile organizations that has managed\r\nto stay under the radar. The group behind these attacks has stolen gigabytes of confidential documents, mostly\r\nfrom Venezuelan government organizations. It is still very active at the time of this publication, regularly\r\nintroducing changes to its malware, infrastructure and spearphishing campaigns.\r\nESET has been tracking a new version of Machete (the group’s Python-based toolset) that was first seen in\r\nApril 2018. While the main functionality of the backdoor remains the same as in previous versions, it has been\r\nextended with new features over the course of a year.\r\nTargets\r\nFrom the end of March up until the end of May 2019, ESET researchers observed that there were more than\r\n50 victimized computers actively communicating with the C\u0026C server. This amounts to gigabytes of data being\r\nuploaded every week. More than 75% of the compromised computers were part of Venezuelan government\r\norganizations, including the military forces, education, police, and foreign affairs sectors. This extends to other\r\ncountries in Latin America, with the Ecuadorean military being another organization highly targeted with the\r\nMachete malware. The distribution of this malware in these countries is shown in Figure 1.\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 1 of 10\n\nFigure 1. Countries with Machete victims in 2019\r\nMalware operators\r\nMachete’s operators use effective spearphishing techniques. Their long run of attacks, focused on Latin American\r\ncountries, has allowed them to collect intelligence and refine their tactics over the years. They know their targets,\r\nhow to blend into regular communications, and which documents are of the most value to steal. Not only does\r\nMachete exfiltrate common office suite documents, but also specialized file types used by geographic information\r\nsystems (GIS) software. The group is interested in files that describe navigation routes and positioning using\r\nmilitary grids.\r\nThe Machete group sends very specific emails directly to its victims, and these change from target to target. These\r\nemails contain either a link to, or an attachment of, a compressed self-extracting archive that runs the malware and\r\nopens a document that serves as a decoy.\r\nFigure 2 is a typical PDF file displayed to a potential victim during compromise. To trick unsuspecting targets,\r\nMachete operators use real documents they have previously stolen; Figure 2 is a classified official document that\r\nis dated May 21st, 2019, the same day the related .zip file was first sent to targets. ESET has seen more cases like\r\nthis where stolen documents dated on one particular day were bundled with malware and used on the same day as\r\nlures to compromise new victims.\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 2 of 10\n\nFigure 2. Decoy (PDF file) in one of the Machete downloaders (blurred)\r\nThe kind of documents used as decoys are sent and received legitimately several times a day by the group’s\r\ntargets. For example, Radiogramas are documents used for communication in the Venezuelan military forces.\r\nAttackers take advantage of that, along with their knowledge of military jargon and etiquette, to craft very\r\nconvincing phishing emails.\r\nMain characteristics\r\nThe Machete group is very active and has introduced several changes to its malware since a new version was\r\nreleased in April 2018. Previous versions were described by Kaspersky in 2014 and Cylance in 2017. In Figure 3\r\nwe show the components for the new version of the Machete malware.\r\nFigure 3. Components of Machete\r\nThe first part of the attack consists of a downloader that comes as a self-extracting archive, made with\r\n7z SFX Builder. Once the archive is unpacked by the self-extraction code, the extractor opens a PDF or Microsoft\r\nOffice file that serves as a decoy, and then runs the downloader executable from the archive. That executable is\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 3 of 10\n\nanother self-extracting file that contains the actual downloader binary (a py2exe component) and a configuration\r\nfile with the downloader’s target URL as an encrypted string.\r\nAll download URLs we have seen are at either Dropbox or Google Docs. The files at these URLs have all been\r\nself-extracting (RAR SFX) archives containing encrypted configuration and py2exe backdoor components. Since\r\nMay 2019, however, the Machete operators stopped using downloaders and started to include the decoy file and\r\nbackdoor components in the same archive.\r\nThe py2exe binaries can be decompiled to obtain Python code. All of the components – downloaders and\r\nbackdoors – are obfuscated with pyobfuscate. This has been used in previous versions of the malware as well.\r\nFigure 4 shows part of one of these obfuscated scripts.\r\nFigure 4. Script obfuscated with pyobfuscate\r\nSince August 2018, the Machete components have been delivered with an extra layer of obfuscation. The scripts\r\nnow contain a block of zlib-compressed, base64-encoded text which, after being decoded, produces a script like\r\nthe one in Figure 4. This first layer of obfuscation is produced using pyminifier with the -gzip parameter.\r\nBackdoor components\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 4 of 10\n\nMachete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe,\r\nChrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded\r\ntext that corresponds to AES‑encrypted strings. A schema summarizing the components is shown in Figure 5.\r\nFigure 5. Backdoor py2exe components of Machete\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and\r\ncreates Windows Task Scheduler tasks to achieve persistence.\r\nThe Chrome.exe component is responsible for collection of data from the victimized computer. It can:\r\nTake screenshots\r\nLog keystrokes\r\nAccess the clipboard\r\nAES-encrypt and exfiltrate documents\r\nDetect newly inserted drives and copy files\r\nExecute other binaries downloaded from the C\u0026C server\r\nRetrieve specific files from the system\r\nRetrieve user profile data from several browsers\r\nCollect geolocation of victims and information about nearby Wi-Fi networks\r\nPerform physical exfiltration to removable drives\r\nThe Machete operators are interested in obtaining specific file types from their targets. Apart from Microsoft\r\nOffice documents, drives are searched for:\r\nBackup files\r\nDatabase files\r\nCryptographic keys (PGP)\r\nOpenOffice documents\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 5 of 10\n\nVector images\r\nFiles for geographic information systems (topographic maps, navigation routes, etc.)\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the\r\nMozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other\r\nsources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and\r\nlongitude coordinates to build a Google Maps URL. Part of the code is shown in Figure 6.\r\nFigure 6. Code for geolocation\r\nThe advantage of using Mozilla Location Service is that it permits geolocation without an actual GPS and can be\r\nmore accurate than other methods. For example, an IP address can be used to obtain an approximate location, but\r\nit is not so accurate. On the other hand, if there is available data for the area, Mozilla Location Service can provide\r\ninformation such as in which building the target is located.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C\u0026C server. The\r\nconfiguration to set the connection is read from the jer.dll file: domain name, username and password. The\r\nprincipal means of communication for Machete is via FTP, although HTTP communication was implemented as a\r\nfallback in 2019.\r\nThis component uploads encrypted files to different subdirectories on the C\u0026C server, but it also retrieves specific\r\nfiles that have been put on the server by the Machete operators. This way, the malware can have its configuration,\r\nmalicious binaries and file listings updated, but can also download and execute other binaries.\r\nIn conclusion\r\nThe Machete group is operating more strongly than ever, even after researchers have published technical\r\ndescriptions and indicators of compromise for this malware. ESET has been tracking this threat for months and\r\nhas observed several changes, sometimes within weeks.\r\nAt the time of this publication, the latest change introduced six backdoor components, which are no longer py2exe\r\nexecutables. Python scripts for malicious components, an original executable for Python 2.7, and all libraries used\r\nare packed into a self-extracting file.\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 6 of 10\n\nVarious artifacts that we have seen in Machete’s code and the underlying infrastructure lead us to think that this is\r\na Spanish-speaking group. The presence of code to exfiltrate data to removable drives when there is physical\r\naccess to a compromised computer may indicate that Machete operators could have a presence in one of the\r\ntargeted countries, although we cannot be certain.\r\nA full and comprehensive list of Indicators of Compromise (IoCs) can be found in the full white paper and on\r\nGitHub. ESET detects this threat as a variant of Python/Machete.\r\nFor a detailed analysis of the backdoor, refer to our white paper Machete just got sharper: Venezuelan government\r\ninstitutions under attack.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nMITRE ATT\u0026CK techniques\r\nTactic  ID  Name  Description \r\nInitial\r\nAccess \r\nT1192 Spearphishing Link \r\nEmails contain a link to download\r\na compressed file from an external\r\nserver. \r\nT1193 Spearphishing Attachment \r\nEmails contain a zipped file with\r\nmalicious contents. \r\nExecution \r\nT1204 User Execution \r\nTries to get users to open links or\r\nattachments that will execute the\r\nfirst component of Machete. \r\nT1053 Scheduled Task \r\nOther components of Machete are\r\nexecuted by Windows Task\r\nScheduler. \r\nPersistence \r\nT1158 Hidden Files and Directories \r\nMalware files and folders are\r\nhidden for persistence. \r\nT1053 Scheduled Task \r\nAll of the components are\r\nscheduled to ensure persistence. \r\nDefense\r\nEvasion \r\nT1027\r\nObfuscated Files or\r\nInformation \r\nPython scripts are obfuscated. \r\nT1045 Software Packing \r\nMachete payload is delivered as\r\nself-extracting files. Machete\r\ndownloaders are UPX packed. \r\nT1036 Masquerading  File and task names try to\r\nimpersonate Google Chrome\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 7 of 10\n\nTactic  ID  Name  Description \r\nexecutables. \r\nCredential\r\nAccess \r\nT1145 Private Keys \r\nA compromised system is scanned\r\nlooking for key and certificate file\r\nextensions. \r\nT1081 Credentials in Files \r\nMachete exfiltrates files with\r\nstored credentials for Chrome and\r\nFirefox. \r\nDiscovery \r\nT1049\r\nSystem Network Connections\r\nDiscovery \r\nNetsh command is used to list all\r\nnearby Wi-Fi networks. \r\nT1120 Peripheral Device Discovery \r\nNewly inserted devices are\r\ndetected by listening for the\r\nWM_DEVICECHANGE window\r\nmessage. \r\nT1083 File and Directory Discovery \r\nFile listings are produced for files\r\nto be exfiltrated. \r\nT1057 Process Discovery \r\nIn the latest version, running\r\nprocesses are enumerated\r\nsearching for browsers. \r\nT1217 Browser Bookmark Discovery \r\nBrowser data such as bookmarks is\r\ngathered for Chrome and Firefox. \r\nT1010\r\nApplication Window\r\nDiscovery \r\nWindow names are reported along\r\nwith keylogger information. \r\nCollection \r\nT1115 Clipboard Data \r\nClipboard data is stolen by creating\r\nan overlapped window that will\r\nlisten to keyboard events. \r\nT1005 Data from Local System \r\nFile system is searched for files of\r\ninterest. \r\nT1025 Data from Removable Media \r\nFiles are copied from newly\r\ninserted drives. \r\nT1056 Input Capture \r\nMachete logs keystrokes from the\r\nvictim’s machine. \r\nT1113 Screen Capture \r\nPython Imaging Library is used to\r\ncapture screenshots. \r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 8 of 10\n\nTactic  ID  Name  Description \r\nT1074 Data Staged \r\nFiles and logs are stored in the\r\nWinde folder, encrypted. \r\nCommand\r\nand Control \r\nT1043 Commonly Used Port \r\nStandard FTP port is used for\r\ncommunications. Standard HTTP\r\nport as fallback. \r\nT1008 Fallback Channels \r\nMachete uses HTTP to exfiltrate\r\ndocuments if FTP is unavailable. \r\nT1105 Remote File Copy \r\nMachete can download additional\r\nfiles for execution on the victim’s\r\nmachine. \r\nT1071\r\nStandard Application Layer\r\nProtocol \r\nFTP is used for Command \u0026\r\nControl. \r\nExfiltration  T1020 Automated Exfiltration \r\nAll collected files are exfiltrated\r\nautomatically via FTP to remote\r\nservers. \r\nT1002\r\nData\r\nCompressed \r\nMachete compresses browser’s\r\nprofile data as .zip files prior to\r\nexfiltrating it. \r\nT1022 Data Encrypted \r\nCollected data is encrypted with\r\nAES before transmitting it. In\r\nthe latest version of the\r\nmalware, it is encoded with\r\nbase64 (but not encrypted). \r\nT1041\r\nExfiltration Over\r\nCommand and\r\nControl Channel \r\nData is exfiltrated over the\r\nsame channel used for C\u0026C. \r\nT1052\r\nExfiltration Over\r\nPhysical\r\nMedium \r\nData from all drives in a\r\ncompromised system is copied\r\nto a removable drive if there is\r\na special file in that drive. \r\nT1029\r\nScheduled\r\nTransfer \r\nData is sent to the C\u0026C server\r\nevery 10 minutes. \r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 9 of 10\n\nSource: https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nhttps://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/"
	],
	"report_names": [
		"sharpening-machete-cyberespionage"
	],
	"threat_actors": [
		{
			"id": "d303c77e-0110-471b-a3a6-37fce9ac848d",
			"created_at": "2022-10-25T15:50:23.342452Z",
			"updated_at": "2026-04-10T02:00:05.373848Z",
			"deleted_at": null,
			"main_name": "Machete",
			"aliases": [
				"APT-C-43",
				"El Machete"
			],
			"source_name": "MITRE:Machete",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434023,
	"ts_updated_at": 1775791406,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2105fe6720ca339e9a28f55fecfe522c1f2c096.pdf",
		"text": "https://archive.orkl.eu/b2105fe6720ca339e9a28f55fecfe522c1f2c096.txt",
		"img": "https://archive.orkl.eu/b2105fe6720ca339e9a28f55fecfe522c1f2c096.jpg"
	}
}