Skip to content

Hide Navigation Hide TOC

El Machete (827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3)

El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.

Cluster A Galaxy A Cluster B Galaxy B Level
El Machete (827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3) Threat Actor Machete - APT-C-43 (d0b9840d-efe2-5200-89d1-2f1a37737e30) 360.net Threat Actors 1
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Machete - APT-C-43 (d0b9840d-efe2-5200-89d1-2f1a37737e30) 360.net Threat Actors 2
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set 3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 3
Machete - G0095 (38863958-a201-4ce1-9dbe-539b0b6804e0) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern 4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 4
Machete - S0409 (35cd1d01-1ede-44d2-b073-a264d727bc04) Malware Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 4
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 4
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 5
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 5
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 5
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 5
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 5