The sub-techniques beta is now live! Read the release blog post for more info.


Machete is a cyber espionage toolset developed by a Spanish-speaking group known as El Machete. It is a Python-based backdoor targeting Windows machines, and it was first observed in 2010.[1][2]

ID: S0409
Platforms: Windows
Contributors: Matias Nicolas Porolli, ESET
Version: 1.0
Created: 13 September 2019
Last Modified: 15 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1010 Application Window Discovery

Machete saves the window names. [1]

Enterprise T1123 Audio Capture

Machete captures audio from the computer’s microphone. [2]

Enterprise T1020 Automated Exfiltration

Machete’s collected files are exfiltrated automatically to remote servers. [1]

Enterprise T1217 Browser Bookmark Discovery

Machete retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers. [1]

Enterprise T1115 Clipboard Data

Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events. [1][2]

Enterprise T1503 Credentials from Web Browsers

Machete collects stored credentials from several web browsers. [1]

Enterprise T1081 Credentials in Files

Machete exfiltrates the files "key3.db" and "signons.sqlite", which store passwords, from several browsers. [1]

Enterprise T1002 Data Compressed

Machete stores zipped files with profile data from installed web browsers. [1]

Enterprise T1022 Data Encrypted

Machete's collected data is encrypted with AES before exfiltration. [1]

Enterprise T1005 Data from Local System

Machete searches the File system for files of interest. [1]

Enterprise T1025 Data from Removable Media

Machete copies files from newly inserted drives. [1]

Enterprise T1074 Data Staged

Machete stores files and logs in a folder on the local drive. [1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Machete’s downloaded data is decrypted using AES.[1]

Enterprise T1041 Exfiltration Over Command and Control Channel

Machete's collected data is exfiltrated over the same channel used for C2.[1]

Enterprise T1052 Exfiltration Over Physical Medium

Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[1][2]

Enterprise T1008 Fallback Channels

Machete has sent data over HTTP if FTP failed, and has also used a fallback server. [1]

Enterprise T1083 File and Directory Discovery

Machete produces file listings in order to search for files to be exfiltrated. [1]

Enterprise T1107 File Deletion

Once a file is uploaded, Machete will delete it from the machine. [1]

Enterprise T1158 Hidden Files and Directories

Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.[1]

Enterprise T1056 Input Capture

Machete logs keystrokes from the victim’s machine. [1][2]

Enterprise T1036 Masquerading

Machete renamed payloads and task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables. [1]

Enterprise T1027 Obfuscated Files or Information

Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation.[1]

Enterprise T1120 Peripheral Device Discovery

Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message. [1]

Enterprise T1145 Private Keys

Machete has scanned and looked for cryptographic keys and certificate file extensions. [1]

Enterprise T1057 Process Discovery

Machete has a component to check for running processes to look for web browsers. [1]

Enterprise T1105 Remote File Copy

Machete can download additional files for execution on the victim’s machine. [1]

Enterprise T1053 Scheduled Task

The different components of Machete are executed by Windows Task Scheduler.[1]

Enterprise T1029 Scheduled Transfer

Machete sends stolen data to the C2 server every 10 minutes. [1]

Enterprise T1113 Screen Capture

Machete captures screenshots.[1][2]

Enterprise T1064 Scripting

Machete uses Python scripts. [1][2]

Enterprise T1045 Software Packing

Machete has been packed with NSIS. [1]

Enterprise T1071 Standard Application Layer Protocol

Machete uses FTP and HTTP for Command & Control.[1]

Enterprise T1082 System Information Discovery

Machete collects the hostname of the target computer. [1]

Enterprise T1016 System Network Configuration Discovery

Machete collects the MAC address of the target computer. [1]

Enterprise T1049 System Network Connections Discovery

Machete uses the netsh wlan show networks mode=bssid and netsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces. [1]

Enterprise T1125 Video Capture

Machete takes photos from the computer’s web camera. [2]

Groups That Use This Software

ID Name References
G0095 Machete [2] [1]