Machete is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.[1][2][3]

ID: G0095
Associated Groups: El Machete
Contributors: Matias Nicolas Porolli, ESET
Version: 1.2
Created: 13 September 2019
Last Modified: 22 September 2020

Associated Group Descriptions

Name Description
El Machete


Techniques Used

Domain ID Name Use
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

Machete malware used FTP for C2.[1]

.001 Application Layer Protocol: Web Protocols

Machete malware used Python’s urllib library to make HTTP requests to the C2 server.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Machete used the startup folder for persistence.[1]

Enterprise T1059 .006 Command and Scripting Interpreter: Python

Machete used multiple compiled Python scripts on the victim’s system.[1]

Enterprise T1025 Data from Removable Media

Machete had a module in its malware to find, encrypt, and upload files from fixed and removable drives.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Machete created their own directories to drop files into.[1]

Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

Machete has used free dynamic DNS domains for C2.[1]

Enterprise T1027 Obfuscated Files or Information

Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Machete has delivered spearphishing emails that contain a zipped file with malicious contents.[2][3]

.002 Phishing: Spearphishing Link

Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.[1][3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Machete used scheduled tasks for persistence.[1]

Enterprise T1204 .002 User Execution: Malicious File

Machete has has relied on users opening malicious attachments delivered through spearphishing to execute malware.[1][2][3]

.001 User Execution: Malicious Link

Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.[1][2][3]


ID Name References Techniques
S0409 Machete [2][3] Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Audio Capture, Automated Exfiltration, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Python, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exfiltration Over Physical Medium: Exfiltration over USB, Fallback Channels, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Process Discovery, Scheduled Task/Job: Scheduled Task, Scheduled Transfer, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Unsecured Credentials: Private Keys, Video Capture