Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Machete

🌐Machete

🌐 Machete is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 11 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0095) ↗
14Use cases
0Articles
11Techniques
0IOCs

About this actor (MITRE)

[Machete](https://attack.mitre.org/groups/G0095) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://attack.mitre.org/groups/G0095) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(C

Known aliases

MacheteAPT-C-43El Machete

Top techniques

T1036.005 · Match Legitimate Resource Name or LocationT1053.005 · Scheduled TaskT1059.003 · Windows Command Shell

All other tracked techniques

T1059.005 · Visual BasicT1059.006 · PythonT1189 · Drive-by CompromiseT1204.001 · Malicious LinkT1204.002 · Malicious FileT1218.007 · MsiexecT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing Link

Detection use cases (14)

Machete (APT-C-43) PyInstaller-packed RAT extraction in %TEMP%\_MEI* (Pyark/Machete loader) AI · profile SΣ Machete LatAm spearphish: Spanish-lure Office attachment → scripting host → schtasks persistence AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match