{ "id": "6ff4bcdc-116b-4150-a7a3-866172ceb1aa", "created_at": "2026-04-06T00:20:06.535316Z", "updated_at": "2026-04-10T03:24:56.398497Z", "deleted_at": null, "sha1_hash": "eb6bd1daa8364adaeb1a749bffeea39ebdfda558", "title": "apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 991046, "plain_text": "apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign\r\nPublished: 2020-09-25 · Archived: 2026-04-02 10:37:37 UTC\r\nLearn more about 360 Total Security\r\nIn June 2020, 360 Security Center discovered a new backdoor Pyark written in Python by the fileless attack\r\nprotection function. Through in-depth excavation and trace analysis of the backdoor, we discovered a series of\r\nadvanced threat actions that have been active since 2019. By invading various military institutions in Venezuela,\r\nthe attackers deployed backdoor to continuously monitor and steal the latest military secrets. We named it APT-C-43 based on 360’s way of naming the APT organization\r\nWhen tracing the attacker’s source, we found that the duration of this attack coincided with the Venezuelan\r\npolitical chaos, and the network assets used by the attackers were mostly deployed in Colombia, and some assets\r\nwere frequently found in Venezuela and Colombia. After the United Venezuelan coup, the reactionary government\r\nheaded by Juan Gerardo Guaidó Márquez fled to Colombia to seek military assistance. We guess the political\r\nbackground of APT-C -43’s campaign may be to help the reactionaries led by Juan steal military secrets of the\r\nVenezuelan military and provide intelligence support for the confrontation between the reactionary government\r\nand the current Venezuelan government. Therefore, we named this series of attacks HpReact.\r\nIn the process of tracing the source, the campaign was linked to the APT group Machete, and Machete can be\r\ntraced back to 2010. The organization is an APT organization with Spanish roots. Its targets are military,\r\nembassies and government agencies in Latin America. the Lord. Obviously, the HpReact campaign is only a small\r\npart of the organization’s cyber warfare in Latin America.\r\nThe picture below shows the decoy document used by APT-C-43 in this campaign. The content of the document is\r\na policy issued by the Venezuelan authorities to prevent deserters from going to Colombia to support the\r\nreactionary government. More about this policy. For details, please refer to Appendix 1. It can be seen that the\r\nattackers have a good understanding of Venezuela’s current politics, military, etc., and are good at using such\r\nsensitive files to make decoy documents, which are highly targeted and inductive.\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 1 of 13\n\nTechnical Details\r\nThe APT-C-43 organization is good at launching attacks using phishing emails, and deploys the backdoor program\r\nPyark (Machete) written in python after invading the victim’s machine. The network communication mainly relies\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 2 of 13\n\non FTP and HTTP protocols. After successfully infiltrating the target machine, APT-C-43 organization monitors\r\nthe target users, steal sensitive data, etc. The complete process of infecting the target machine is as follows:\r\nThe infection process\r\nThe decoy document carries malicious macrocode. Download the next stage of malicious component NisSrv.bat\r\nthrough FTP protocol, and we can see many variables named after Spanish vocabulary in the code, such as\r\nservidor (server), Usuario (user name), Contraseña (password), etc.:\r\nNisSrv.bat downloads malicious components:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 3 of 13\n\nThe file of “setupXOX.msi” is a Windows Installer installation program made by MSI Wrapper to deploy the final\r\nbackdoor components. When we studied the historical samples of the Machete organization, we found that the\r\norganization’s technology for deploying backdoor has undergone an important change, with a clear time division.\r\nThrough the following timeline, we can clearly see that the organization is constantly changing and innovating its\r\nown Attack technique:\r\nMany fields in the installation program are forged into Acrobat Reader installation program, and the interface after\r\nrunning is related to Acrobat Reader:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 4 of 13\n\nAfter the program runs, the Fpyark backdoor components will be released to the %ProgramData%\\USOEnable\r\ndirectory. The backdoor of Fpyark is writing by python. During the running process, python is required to execute\r\nthe environment and various dependent libraries required by the script, which also caused the size of\r\nsetupXOX.msi to reach 8.10M. After installation, the entire directory structure is as follows:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 5 of 13\n\nAfter deploying the above backdoor components, run svchostt.exe according to the msiwpper configuration file:\r\nThe file of “setupXOX.msi” is a virus releaser written in Microsoft Visual Basic language, which releases\r\nNisSrv.bat registered scheduled tasks to realize self-starting and staying. The program has the following vbp\r\ncompilation path:\r\n@*\\AC:\\Users\\MITM\\Desktop\\malware\\3_svchostt\\Proyecto1.vbp\r\nThe relevant code is as follows:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 6 of 13\n\nBackdoor module\r\nUpdateSession is the main control module of the backdoor. Its functions include self-starting of the backdoor,\r\ncollection of network configuration, keystroke records, and schedule other modules to execute by means of timers:\r\nUpdateService traverses the disk directory and collects more than ten kinds of sensitive files with suffixes such as\r\ndoc, xlsx, and pdf in other directories, except for some system directories and security software directories.\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 7 of 13\n\nUpdateDevice takes screenshot\r\nCapture camera screen:\r\nUpdatePlugin takes audio from the microphone:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 8 of 13\n\nNotification is responsible for uploading the sensitive data collected by the above modules to the FTP server:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 9 of 13\n\nThe interactive traffic characteristics are as follows:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 10 of 13\n\nWhen analyzing the uploaded FTP server, we found that APT-C-43 manages the uploaded sensitive files through\r\nTiny File Manager:\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 11 of 13\n\nSummary\r\nThe entire campaign of HpReact highly coincides with the timeline of Venezuelan political turmoil. APT-C-43\r\ntook Venezuelan military agencies as the main targets and carried out surveillance and stealing activities for about\r\ntwo years, forming a significant impact on Venezuela’s national security. Great safety hazard. In recent years, with\r\nthe intensification of cyber warfare in various countries, cyberspace security has become another important area\r\nfor each country to maintain national security, and building a strong cybersecurity has become a top priority for\r\neach country.\r\nAt present, 360 Total Security has supported the detection of attacks on this organization.\r\nTeam Introduction\r\n360 Baize Lab (formerly 360 FirstAid team): Focusing on BOOTKIT/ROOTKIT Trojan analysis and traceability,\r\nit was the first to discover the world’s first UEFI Trojan Spy Shadow(UEFI木马谍影),boot area Trojan\r\nHidden Soul(引导区木马隐魂),dual guns(双枪,)and multiple large-scale dark brush botnets, such as\r\nblack fog and diaster. Now it is renamed 360 Baize Lab based on the original business, it is involved in APT\r\ntesting and research. The laboratory provides core safety data for 360 Security Guards, 360 FirstAid team and\r\nother products, as well as stubborn Trojan detection and killing solutions, while providing 360 Security Center\r\nTechnical Support.\r\nAppendix 1\r\nhttps://www.totalnewsagency.com/internacionales/ante-la-alarmante-desercion-el-ministro-de-defensa-de-venezuela-ordeno-convencer-a-los-soldados-de-regresar-como-sea\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 12 of 13\n\nAppendix 2\r\nhttps[:]//securelist.com/el-machete/66108\r\nhttps[:]//www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf\r\nAppendix 3\r\nMD5:\r\nfbe5b66db57fb52b231c5374ac2ac805\r\n6b33fa0c52ca413d4214dcde007f89c1\r\nf85489c1d1ff3374f92ccb7267032016\r\nIP:\r\n92.249.44.53\r\n185.70.105.33\r\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-h\r\npreact-campaign/\r\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/\r\nPage 13 of 13\n\nhttps://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/ \nNotification is responsible for uploading the sensitive data collected by the above modules to the FTP server:\n Page 9 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "references": [ "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" ], "report_names": [ "apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign" ], "threat_actors": [ { "id": "d303c77e-0110-471b-a3a6-37fce9ac848d", "created_at": "2022-10-25T15:50:23.342452Z", "updated_at": "2026-04-10T02:00:05.373848Z", "deleted_at": null, "main_name": "Machete", "aliases": [ "APT-C-43", "El Machete" ], "source_name": "MITRE:Machete", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64", "created_at": "2023-01-06T13:46:38.605117Z", "updated_at": "2026-04-10T02:00:03.03665Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "G0095", "machete-apt", "APT-C-43" ], "source_name": "MISPGALAXY:El Machete", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6", "created_at": "2022-10-25T16:07:23.576476Z", "updated_at": "2026-04-10T02:00:04.674784Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "APT-C-43", "ATK 97", "G0095", "Operation HpReact", "TAG-NS1", "TEMP.Andromeda" ], "source_name": "ETDA:El Machete", "tools": [ "El Machete", "ForeIT", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Pyark" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434806, "ts_updated_at": 1775791496, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb6bd1daa8364adaeb1a749bffeea39ebdfda558.pdf", "text": "https://archive.orkl.eu/eb6bd1daa8364adaeb1a749bffeea39ebdfda558.txt", "img": "https://archive.orkl.eu/eb6bd1daa8364adaeb1a749bffeea39ebdfda558.jpg" } }