G0095: Machete
Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[1][2][3][4]
Analyst context for executives and security teams
Machete matters because ATT&CK describes it as a long-running suspected Spanish-speaking cyber espionage group focused on high-profile organizations, especially in Latin America and Venezuela, with reported targeting of government, intelligence, military, telecommunications, and power-sector entities. For leaders, the decision value is not the name of the group; it is whether the organization can withstand targeted phishing, user-driven execution, Windows backdoor activity, scheduled-task persistence, scripting abuse, and stealthy naming/location choices without losing visibility or incident response time.
Executive priority
Treat this as a targeted-espionage readiness benchmark for organizations with exposure in the regions or sectors named by ATT&CK. Security leaders should ask whether email security, endpoint logging, Windows persistence monitoring, script execution governance, and incident response playbooks produce evidence good enough for executive decisions, regulatory/audit review, and rapid containment. Telecommunications and power organizations should also validate that enterprise compromises cannot quietly bridge into operationally sensitive environments, while avoiding assumptions that this ATT&CK entry proves current exposure or active targeting of any specific organization.
Technical view
ATT&CK provides no official detection text for the group, so defenders should build coverage from the relationship context. Machete is linked to a Windows-focused Python-based backdoor/toolset, plus techniques involving spearphishing attachments and links, drive-by compromise, malicious user execution, Windows command shell, Visual Basic, Python, msiexec proxy execution, scheduled tasks, and resource-name/location masquerading. SOC and IR teams should validate visibility across the full chain: inbound email and web delivery, user click/open events, process creation for cmd.exe, python/python.exe, VB-related execution, msiexec activity, scheduled task creation/modification, suspicious file paths or names that approximate legitimate resources, and endpoint/network evidence associated with the related Machete software where locally available.
Likely telemetry
- Email gateway and mailbox telemetry for spearphishing attachments and links
- Web proxy, DNS, browser, and secure web gateway logs for drive-by or link-based delivery paths
- Endpoint process creation and command-line logging on Windows hosts
- Script/interpreter execution telemetry for Python and Visual Basic activity
- Windows Task Scheduler events and task registration/modification records
Detection direction
- Because no official group detection guidance is supplied, map detections to the related techniques rather than relying on a single group signature.
- Tune phishing detections for targeted attachments and links, but account for false positives from legitimate business documents and routine external collaboration.
- Baseline normal use of Python, Visual Basic, cmd.exe, and msiexec.exe by role and host class; prioritize unusual parent processes, uncommon paths, remote content retrieval, and execution from user-writable locations.
- Monitor scheduled task creation and modification, especially tasks with suspicious names, unusual run paths, encoded or script-heavy actions, or creation soon after email/web delivery events.
- Look for masquerading by comparing file names, directories, and registry/resource locations against expected operating-system and enterprise software baselines.
Mitigation priorities
- Prioritize phishing resilience: attachment/link inspection, user reporting workflows, and rapid takedown or blocking processes for malicious URLs and files.
- Harden endpoint execution paths by controlling script interpreters, restricting unnecessary msiexec usage, and applying least privilege where business operations allow.
- Monitor and govern scheduled tasks as a persistence surface, including administrative review of new or changed tasks on sensitive systems.
- Maintain browser, office-suite, and endpoint patching discipline to reduce exposure to drive-by and user-executed content paths.
- Use application control or allowlisting where feasible for high-risk systems, especially government, telecom, power, or other sensitive environments referenced by the ATT&CK description.
Analyst notes and limits
This take is derived from ATT&CK group G0095, its aliases, official description, external references, and listed relationships. The most actionable context comes from the related Machete software entry and the linked techniques: phishing/link/file execution, drive-by compromise, Windows command shell, Visual Basic, Python, msiexec, scheduled tasks, and masquerading. Local threat modeling should weight this group higher where geography, sector, language, or mission overlap with the ATT&CK description.
ATT&CK supplies no official detection text, no group-level platforms or tactics, and no environment-specific indicators in the provided fields. The relationship set supports defensive planning but does not prove current activity, attribution against a given victim, or detection coverage. Organizations need their own telemetry, asset inventory, exposure data, and incident evidence to determine relevance and priority.
Machete
Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.CitationCylance Machete Mar 2017CitationSecurelist Machete Aug 2014CitationESET Machete July 2019Citation360 Machete Sep 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.CitationCylance Machete Mar 2017CitationESET Machete July 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Machete has used batch files to initiate additional downloads of malicious files.Citation360 Machete Sep 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Machete has embedded malicious macros within spearphishing attachments to download additional files.Citation360 Machete Sep 2020 |
| Enterprise | T1059.006 | Python Sub-technique | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.CitationCylance Machete Mar 2017CitationSecurelist Machete Aug 2014CitationESET Machete July 2019 |
| Enterprise | T1189 | Drive-by Compromise | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Machete has delivered spearphishing emails that contain a zipped file with malicious contents.CitationSecurelist Machete Aug 2014CitationESET Machete July 2019Citation360 Machete Sep 2020 |
| Enterprise | T1218.007 | Msiexec Sub-technique |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 327dac98c1f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Machete Mar 2017
The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
Open source URL -
[2]
Securelist Machete Aug 2014
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
Open source URL -
[3]
ESET Machete July 2019
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
Open source URL -
[4]
360 Machete Sep 2020
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
Open source URL -
[5]
APT-C-43
(Citation: 360 Machete Sep 2020)
-
[6]
El Machete
(Citation: Cylance Machete Mar 2017)
-
[7]
Machete
(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(
-
[8]
mitre-attack G0095Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.