ETDA ThaiCERT
Report
Search
Home > List all groups > El Machete

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: El Machete

NamesEl Machete (Kaspersky)
TEMP.Andromeda (FireEye)
APT-C-43 (Qihooo 360)
ATK 97 (Thales)
TAG-NS1 (?)
Country[Unknown]
MotivationInformation theft and espionage
First seen2010
Description(Kaspersky) “Machete” is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010 and was renewed with an improved infrastructure in 2012. The operation may be still “active”.

The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake Blog website. We have found no evidence of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking.

In some cases, such as Russia, the target appears to be an embassy from one of the countries of this list.
ObservedSectors: Defense, Education, Embassies, Energy, Government, Telecommunications.
Countries: Argentina, Belgium, Bolivia, Brazil, Canada, China, Colombia, Cuba, Dominican Republic, Ecuador, France, Germany, Guatemala, Malaysia, Mexico, Nicaragua, Peru, Russia, South Korea, Spain, Sweden, UK, Ukraine, USA, Venezuela and others.
Tools usedMachete, Pyark, Living off the Land.
Operations performedMar 2017We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.
<https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html>
Mar 2019From the end of March up until the end of May 2019, ESET researchers observed that there were more than 50 victimized computers actively communicating with the C&C server. This amounts to gigabytes of data being uploaded every week.
<https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/>
Jun 2020Operation “HpReact”
In June 2020, 360 Security Center discovered a new backdoor Pyark written in Python by the fileless attack protection function.
<https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/>
Information<https://securelist.com/el-machete/66108/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0095/>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Dust Storm
Next: Emissary Panda, APT 27, LuckyMouse, Bronze Union

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key