Machete (G0095): Persistent Cyber Espionage in Latin America and Beyond
- Suspected Origin
- Unknown (suspected Spanish-speaking origin, possibly Latin America)
- Motivation
- Espionage, Information Theft
- Aliases
- APT-C-43, El Machete
- Target Sectors
- Government, Military, Intelligence Services, Telecommunications, Power Companies, Embassies, Education, Financial
- Associated Malware
- Machete, Pyark, LokiBot
Overview
Machete, tracked as G0095 in the MITRE ATT&CK framework, is a highly persistent and suspected Spanish-speaking cyber espionage group that has been actively conducting operations since at least 2010. Over more than a decade, the group has primarily focused its intelligence-gathering efforts within Latin America, with a notable emphasis on Venezuela. However, Machete’s reach extends globally, with documented activities and targets identified in the United States, Europe, Russia, and parts of Asia. The group consistently targets high-profile organizations, including government institutions, intelligence services, military units, and critical infrastructure providers such as telecommunications and power companies. Analysis of Machete’s operations and malware indicates a strong proficiency in Spanish, with phishing campaigns, payload filenames, and even internal malware code exhibiting Spanish language characteristics, suggesting that both the operators and their primary victims are Spanish speakers.
Machete operates as a highly coordinated and organized group, demonstrating a deep understanding of its targets. Their campaigns are designed for long-term intelligence collection, focusing on sensitive documents, strategic information, and the activities of high-value individuals within targeted organizations. Despite public reporting and the availability of indicators of compromise, Machete has shown a remarkable ability to adapt, maintain activity, and regularly upgrade its tooling and infrastructure.
Tactics & Techniques
Machete’s operational methodology relies heavily on effective social engineering, particularly spearphishing, as its primary initial access vector. The group does not typically exploit zero-day vulnerabilities, instead leveraging carefully crafted lures to trick victims into executing their malware.
Initial compromise often begins with spearphishing emails containing malicious attachments or links. These attachments frequently appear as zipped files with malicious contents, or self-extracting archives that, when opened, run the malware while displaying a decoy document. Machete has been observed embedding malicious macros within these attachments to initiate further downloads. Alternatively, victims may be directed to external servers hosting ZIP and RAR archives through malicious links. In some instances, distribution has occurred via fake blog websites.
Upon execution, Machete employs several techniques for persistence and defense evasion. It creates scheduled tasks to maintain its foothold on compromised systems and has utilized the startup folder for similar purposes. To evade detection and analysis, payloads are often masqueraded as legitimate executables for applications like Google Chrome, Java, Dropbox, Adobe Reader, and Python. Similarly, task names created by the malware can also mimic benign software. The group also employs obfuscation techniques such as pyobfuscate, zlib compression, and base64 encoding, along with visual obfuscation of variable names, to hinder analysis. A notable tactic is the use of genuinely stolen, classified documents as decoys in their spearphishing campaigns, lending credibility to the attack and increasing the likelihood of victim engagement.
For discovery and collection, Machete’s toolset is extensive. It gathers system information, including hostname and MAC address, and detects the insertion of new devices by listening for WM_DEVICECHANGE window messages. The malware can check for running processes, specifically looking for web browsers, and produces file listings to identify documents of interest. Its information-stealing capabilities include logging keystrokes, capturing screenshots, recording audio from microphones, taking webcam pictures, capturing geolocation data, and hijacking clipboard contents. Machete also targets user profile data and stored credentials from popular web browsers such as Chrome and Firefox. Crucially, it steals documents from both fixed and removable drives, showing a particular interest in specialized file types used by geographic information systems (GIS) software, specifically those describing navigation routes and military grids.
Command and Control (C2) communication primarily utilizes FTP, with HTTP serving as a fallback mechanism. Configuration details, including C2 server addresses and credentials, are often read from files like jer.dll. Exfiltration of collected data typically involves AES encryption (though newer versions may only use base64 encoding), with files then uploaded automatically to remote servers via FTP or HTTP. Machete also has the unique capability to copy stolen data to a hidden folder on removable drives if a specific file is present on that drive, serving as an offline exfiltration method. Data exfiltration occurs frequently, with updates to the C2 server every 10 minutes, and stolen files are deleted from the victim’s machine after successful upload.
Notable Campaigns
Machete’s operations have been extensively documented since its discovery. Kaspersky’s Global Research and Analysis Team first reported on the “El Machete” campaign in 2014, noting activity dating back to 2010. This initial report highlighted the group’s Spanish-speaking roots and its focus on cyber espionage.
In 2017, Cylance’s SPEAR team confirmed that Machete remained active, predominantly operating in Latin America, indicating the group’s continued success in bypassing defenses. This demonstrated Machete’s resilience and capacity to adapt its infrastructure and malware.
One of Machete’s most significant and well-documented campaigns was detailed by ESET in 2019. This campaign specifically targeted the Venezuelan military and government institutions, intensifying between March and May 2019. During this period, ESET observed over 50 compromised computers actively communicating with Machete’s command-and-control servers, leading to the weekly exfiltration of gigabytes of confidential military documents. The attackers skillfully blended into regular communications and utilized military jargon specific to Venezuela, often employing previously stolen classified documents as compelling decoys in their spearphishing attempts. The stolen intelligence included critical data related to military grids, positioning, and navigation routes.
More recently, in June 2020, 360 Security Center identified a new Python-based backdoor, Pyark, associated with the group. Additionally, Machete was observed in mid-March (likely around 2020) conducting spear-phishing attacks against financial organizations in Nicaragua, using Word documents titled “Dark plans of the neo-Nazi regime in Ukraine”. These incidents underscore Machete’s ongoing adaptability and evolving targeting priorities.
Associated Malware & Tools
Machete primarily relies on a sophisticated, custom-built, Python-based backdoor also referred to as Machete. This core malware toolset has been continuously refined and extended with new features over the years, maintaining its fundamental capabilities for information theft, including keylogging, screen capture, audio and webcam recording, and comprehensive document stealing from various drives and web browsers. The malware’s modular design, observed since early 2011, allows for flexibility and ease of updates.
Beyond its eponymous backdoor, Machete has been observed using other tools:
- Pyark: A newer Python-based backdoor, discovered in June 2020, suggesting ongoing development and diversification of their malware arsenal.
- LokiBot: This commodity infostealer has also been associated with the group, indicating a willingness to incorporate publicly available or off-the-shelf malware into their operations.
- Living off the Land (LotL): The group also utilizes legitimate system tools and functionalities, a common tactic for remaining stealthy and avoiding detection. This includes the use of batch files and Visual Basic macros for execution and persistence.
The group’s technical choices, such as embedding Python code within Windows executables, while not always offering multi-platform support, simplify development and allow for quick adaptation.
Current Status
Machete remains an active and evolving threat. The group has consistently demonstrated its ability to operate for extended periods, adapt to changing defensive landscapes, and regularly update its malware and command-and-control infrastructure. The MITRE ATT&CK entry for Machete (G0095) was last modified in April 2025, indicating continued relevance and monitoring within the cybersecurity community.
Security researchers, including ESET in 2019, noted that Machete was operating “more strongly than ever,” even after technical descriptions and indicators of compromise were published. This resilience, coupled with the continuous observation of new malware samples and ongoing campaigns, confirms that Machete is a persistent and active cyber espionage actor. Organizations in Latin America and critical sectors globally should remain vigilant to the evolving tactics and techniques employed by this group.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call