{
	"id": "ec591e27-0c69-4a46-b354-921a3ac21d1d",
	"created_at": "2026-04-06T00:11:29.168057Z",
	"updated_at": "2026-04-10T03:24:56.391466Z",
	"deleted_at": null,
	"sha1_hash": "bd2fcfc99754042526b3b81edf3d5efeb60ad51f",
	"title": "El Machete — What do we know about the APT targeting Latin America?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53229,
	"plain_text": "El Machete — What do we know about the APT targeting Latin\r\nAmerica?\r\nBy Veronica Valeros\r\nPublished: 2017-06-26 · Archived: 2026-04-05 16:58:34 UTC\r\n‘Machete’ or ‘El Machete’ is a targeted attack campaign that was first documented in 2014 [1] by Kaspersky\r\nGReAT team. Early this year, Cylance SPEAR team reported how after all these years El Machete is still active\r\n[2]. Let’s walk through what we know about this targeted campaign.\r\nMachete: A Cyber-Espionage Tool\r\nMachete is a piece of malware that has standard characteristics of a cyber-espionage tool. According to previous\r\nreports [1] [2], the malware capabilities include: capturing keystrokes, capturing screenshots, capturing audio,\r\ncapturing webcam pictures, stealing information from the clipboard and documents from local and removable\r\ndrives. Most of these capabilities are obtained through external modules written in Python.\r\nThe Targets: An Unusual Bunch\r\nWhile not unheard of, is not common to hear Latin American countries as targets for sophisticated threat actors.\r\nSince the first report, a series of countries remain as the most common victims: Ecuador, Venezuela, Peru,\r\nArgentina, Colombia, and Cuba. According to [2], victims were also found in other countries, including Korea, the\r\nUnited States, the Dominican Republic, Bolivia, Guatemala, Nicaragua, Mexico, England, Canada, Germany,\r\nRussia, and Ukraine.\r\nA Decade Of Activities?\r\nAs mentioned before the first public report about Machete is from 2014, but the article mentions that the threat is\r\nbelieved to be active since 2010 or even before. Indeed, from the shared indicators, the oldest sample was first\r\nsubmitted on VirusTotal in 2010 (b26d1aec219ce45b2e80769368310471). Thanks to Cylance, we learnt early this\r\nyear that El Machete was still active. If we place its starting date around 2010 or before, then El Machete has been\r\nactive for almost a decade long. As mentioned by Cylance, the threat activities have continued working during the\r\nlast years without major disruption even though there are plenty of indicators published on how to detect the\r\nthreat.\r\nDelivery Mechanisms\r\nPhishing emails are the main source of infections. The emails usually contain external links to sites where users\r\nare lured, via social engineering techniques, to download an executable masked as with a “.SCR” extension.\r\nhttps://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6\r\nPage 1 of 3\n\nKaspersky also reported back in 2014 that web infections via fake blogs websites were also used. In this case, the\r\nauthors did not bother creating sophisticated web infections, and they just took pieces of code from SET (The\r\nSocial Engineering Toolkit) [1].\r\nAn APT With Hispanic Roots\r\nThere are two aspects here to mention: the Spanish-speaking victims and the Spanish language used in the code of\r\nthe malware.\r\nGet Veronica Valeros’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nMost victims are Spanish speaking according to the existing reports. The phishing campaigns, the name of the\r\npayload files and even the external domains used to host the payloads use Spanish words and language,\r\nconfirming the findings. Even infections in external countries may be due Spanish-speaking targets are located\r\nthere, like ambassadors or political representatives.\r\nIt is theorised that the threat actors are also Spanish speakers. The source code of the malware is full of Spanish\r\nterms for things like folders and name of some functions. While these facts are not enough to confirm that the\r\nthreat actors are native Spanish speakers, they do suggest they have at least a basic understanding of the language.\r\nSummary\r\nEl Machete is a very unusual piece of malware, not so much for how it is built but for its targets. Latin Americans\r\nneed to start being aware that sophisticated actors are targeting them and this will not stop [3]. There is a need to\r\nincrease their defensive cyber capabilities to not only avoid these types of infections but to reduce the time to\r\ndetect them.\r\nReferences\r\n[1] Kaspersky GReAT Team. (2014, August 20). El Machete. Retrieved June 25, 2017, from\r\nhttps://securelist.com/el-machete/66108/\r\n[2] The Cylance SPEAR Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM.\r\nRetrieved June 25, 2017, from https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html\r\n[3] Franceschi-Bicchierai, L. (2015, August 6). Malware Hunter Finds Spyware Used Against Dead Argentine\r\nProsecutor. Retrieved June 26, 2017, from https://motherboard.vice.com/en_us/article/d73m8y/malware-hunter-finds-spyware-used-against-dead-argentine-prosecutor\r\nhttps://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6\r\nPage 2 of 3\n\nSource: https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6\r\nhttps://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6"
	],
	"report_names": [
		"el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6"
	],
	"threat_actors": [
		{
			"id": "d303c77e-0110-471b-a3a6-37fce9ac848d",
			"created_at": "2022-10-25T15:50:23.342452Z",
			"updated_at": "2026-04-10T02:00:05.373848Z",
			"deleted_at": null,
			"main_name": "Machete",
			"aliases": [
				"APT-C-43",
				"El Machete"
			],
			"source_name": "MITRE:Machete",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64",
			"created_at": "2023-01-06T13:46:38.605117Z",
			"updated_at": "2026-04-10T02:00:03.03665Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"G0095",
				"machete-apt",
				"APT-C-43"
			],
			"source_name": "MISPGALAXY:El Machete",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6",
			"created_at": "2022-10-25T16:07:23.576476Z",
			"updated_at": "2026-04-10T02:00:04.674784Z",
			"deleted_at": null,
			"main_name": "El Machete",
			"aliases": [
				"APT-C-43",
				"ATK 97",
				"G0095",
				"Operation HpReact",
				"TAG-NS1",
				"TEMP.Andromeda"
			],
			"source_name": "ETDA:El Machete",
			"tools": [
				"El Machete",
				"ForeIT",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"Pyark"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434289,
	"ts_updated_at": 1775791496,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd2fcfc99754042526b3b81edf3d5efeb60ad51f.pdf",
		"text": "https://archive.orkl.eu/bd2fcfc99754042526b3b81edf3d5efeb60ad51f.txt",
		"img": "https://archive.orkl.eu/bd2fcfc99754042526b3b81edf3d5efeb60ad51f.jpg"
	}
}