⚠️ Overview

Machete is a remote access trojan (RAT) and information stealer first documented by ESET researchers in 2014, attributed to a Spanish-speaking threat group suspected of having links to the Venezuelan intelligence apparatus. The malware primarily targets military, diplomatic, and government entities in Latin America, particularly Venezuela, Colombia, Ecuador, and Cuba, for espionage purposes.

🔧 Technical Capabilities

Machete is distributed via spear-phishing emails containing malicious Microsoft Office documents or RAR archives that exploit macro scripting or known vulnerabilities (e.g., CVE-2012-0158) to drop a Delphi-based payload. The RAT establishes command-and-control (C2) communication over HTTP/HTTPS using custom encryption, often exfiltrating stolen credentials, keystrokes, screenshots, microphone recordings, and file contents to attacker-controlled domains. Persistence is achieved by creating scheduled tasks or modifying the Windows registry Run keys, while evasion includes using process injection, anti-debugging checks, and hiding C2 traffic within legitimate-looking HTTP headers.

📜 History & Notable Incidents

First spotted in 2010 according to MITRE ATT&CK (S0409), the group behind Machete—tracked as APT-C-43 by Qi-AnXin and El Machete by ESET—conducted a major campaign in 2015 against Venezuelan military targets, and later expanded operations in 2018–2020 to target Colombian and Ecuadorian government agencies. No law enforcement takedowns have been publicly documented, and the group remains active as of 2024 according to Trend Micro reports.

🔍 Detection Indicators

Known file hashes include SHA-256 5a8c9b3e... (varies per sample) and MD5 hashes associated with early payloads; behavioral indicators include creation of files named ~$*.doc in temp directories, C2 domains ending in .com.co or .net.co, and use of User-Agent strings like Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1). Network IOCs often feature POST requests to /photos/upload.php or /images/ endpoints, and registry persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like SecurityUpdate.

☠️ Risk & Impact

Machete primarily conducts long-term espionage, exfiltrating sensitive diplomatic cables, military plans, and personal credentials, leading to potential operational security breaches for targeted governments. The financial impact is indirect but significant, as compromised intelligence can undermine national security decisions and expose classified information.

🛡️ Mitigation

Defenses include enabling Office macro security settings, deploying endpoint detection and response (EDR) to monitor for process injection and suspicious scheduled tasks, and blocking known Machete C2 domains (Trend Micro threat encyclopedia). Organizations in high-risk sectors should implement phishing awareness training and network traffic analysis to detect exfiltration patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.