El Machete (827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3)

El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
El Machete (827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3)	Threat Actor	Machete - APT-C-43 (d0b9840d-efe2-5200-89d1-2f1a37737e30)	360.net Threat Actors	1
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	Machete - APT-C-43 (d0b9840d-efe2-5200-89d1-2f1a37737e30)	360.net Threat Actors	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0)	Intrusion Set	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Wi-Fi Discovery - T1016.002 (494ab9f0-36e0-4b06-b10d-57285b040a06)	Attack Pattern	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	5
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	5
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	5
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	5
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	5
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	5
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	5
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Wi-Fi Discovery - T1016.002 (494ab9f0-36e0-4b06-b10d-57285b040a06)	Attack Pattern	5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	5
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549)	Attack Pattern	5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	5