S0409: Machete
Analyst context for executives and security teams
Machete is a Windows-focused, Python-based backdoor/toolset associated in ATT&CK with cyber espionage activity. Its decision value is not a single malware signature; it is the operating pattern shown by its ATT&CK relationships: discovery, collection, staging, command-and-control, scheduled execution, removable-media collection/exfiltration, and credential-risk behaviors such as keylogging. For leaders, this matters most where sensitive documents, government or regulated data, military/telecom-style operations, or disconnected/USB-dependent environments are business-critical.
Executive priority
Treat Machete as a coverage-validation scenario for espionage-style data theft on Windows endpoints. Priority questions: Can the organization prove it monitors Python/script execution, suspicious scheduled tasks, data staging, removable media activity, and outbound web/file-transfer channels? Are USB and sensitive-data controls auditable? Can IR teams reconstruct what was collected and exfiltrated if a backdoor used fallback C2 or scheduled transfers? This is especially relevant to resilience, compliance evidence, and cyber-physical/air-gapped risk where removable media is part of operations.
Technical view
ATT&CK lists Machete as a Python-based Windows backdoor used by group G0095. No official detection guidance is provided, so defenders should validate coverage against the related techniques rather than depend on a named-malware rule. Key validation areas include Python execution on Windows, scheduled task creation or masquerading, application/process/system/network/Wi-Fi discovery, local and removable-media data collection, local staging, file deletion, command obfuscation, packed software, web and file-transfer C2, fallback channels, and exfiltration over C2, scheduled transfer, or USB.
Likely telemetry
- Windows endpoint process creation and command-line/script execution logs, especially Python-related execution
- Scheduled task creation, modification, execution, names, descriptions, and parent processes
- File system activity showing collection, staging directories, unusual file access, and deletion
- Removable media and USB connection, file access, and data movement records
- Network telemetry for outbound web protocols and file-transfer protocols such as FTP where collected
Detection direction
- Build detections around behavior clusters: Python execution plus discovery plus staging or outbound transfer is higher value than any one event alone.
- Review scheduled tasks for suspicious naming, masquerading, unusual locations, unexpected interpreters, or recurrence patterns aligned to scheduled transfer behavior.
- Correlate removable media activity with sensitive file access and outbound network transfer, especially in environments that rely on USB for operational workflows.
- Tune web and file-transfer protocol monitoring to identify unusual destinations, timing, volume, or hosts, while accounting for legitimate administrative and business file movement.
- Hunt for local staging followed by file deletion, since cleanup can reduce forensic visibility.
Mitigation priorities
- Prioritize endpoint visibility on Windows systems: process, script, scheduled task, file, removable media, and network telemetry.
- Restrict and monitor unauthorized Python/script execution where business use does not require it.
- Govern scheduled tasks with change control, logging, and review of task names, paths, and run contexts.
- Apply least-privilege and data access controls to reduce the value of local collection and keylogging-derived credentials.
- Control removable media use with policy, logging, and approval workflows, especially for sensitive or operational networks.
Analyst notes and limits
The supplied ATT&CK object identifies Machete as a Python-based Windows backdoor/toolset first observed in 2010 and used by the Machete group. The most useful defensive interpretation comes from the listed relationships to techniques spanning collection, discovery, command-and-control, execution, persistence, stealth, credential access, and exfiltration.
Official ATT&CK detection is not provided, and the object itself has no specified tactics, aliases, or labels. This take does not include indicators of compromise, active exploitation claims, or environment-specific exposure. Local telemetry, asset criticality, data flows, and approved USB/Python usage are required to determine actual risk and detection quality.
Machete
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Machete’s downloaded data is decrypted using AES.CitationESET Machete July 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Machete has used AES to exfiltrate documents.CitationESET Machete July 2019 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Machete has scanned and looked for cryptographic keys and certificate file extensions.CitationESET Machete July 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Machete's collected data is exfiltrated over the same channel used for C2.CitationESET Machete July 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Once a file is uploaded, Machete will delete it from the machine.CitationESET Machete July 2019 |
| Enterprise | T1057 | Process Discovery | Machete has a component to check for running processes to look for web browsers.CitationESET Machete July 2019 |
| Enterprise | T1125 | Video Capture | Machete takes photos from the computer’s web camera.CitationSecurelist Machete Aug 2014CitationCylance Machete Mar 2017Citation360 Machete Sep 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Machete has been packed with NSIS.CitationESET Machete July 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | The different components of Machete are executed by Windows Task Scheduler.CitationESET Machete July 2019CitationSecurelist Machete Aug 2014 |
| Enterprise | T1217 | Browser Information Discovery | Machete retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers.CitationESET Machete July 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Machete collects stored credentials from several web browsers.CitationESET Machete July 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Machete has used base64 encoding.CitationSecurelist Machete Aug 2014 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Machete uses FTP for Command & Control.CitationESET Machete July 2019CitationCylance Machete Mar 2017Citation360 Machete Sep 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Machete collects the MAC address of the target computer and other network configuration information.CitationESET Machete July 2019Citation360 Machete Sep 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.CitationESET Machete July 2019 |
| Enterprise | T1020 | Automated Exfiltration | Machete’s collected files are exfiltrated automatically to remote servers.CitationESET Machete July 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.CitationESET Machete July 2019CitationSecurelist Machete Aug 2014 |
| Enterprise | T1029 | Scheduled Transfer | Machete sends stolen data to the C2 server every 10 minutes.CitationESET Machete July 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Machete stores files and logs in a folder on the local drive.CitationESET Machete July 2019CitationCylance Machete Mar 2017 |
| Enterprise | T1115 | Clipboard Data | Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.CitationESET Machete July 2019CitationSecurelist Machete Aug 2014 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Machete used the startup folder for persistence.CitationSecurelist Machete Aug 2014CitationCylance Machete Mar 2017 |
| Enterprise | T1123 | Audio Capture | Machete captures audio from the computer’s microphone.CitationSecurelist Machete Aug 2014CitationCylance Machete Mar 2017Citation360 Machete Sep 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Machete uses HTTP for Command & Control.CitationESET Machete July 2019CitationCylance Machete Mar 2017Citation360 Machete Sep 2020 |
| Enterprise | T1010 | Application Window Discovery | Machete saves the window names.CitationESET Machete July 2019 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Machete's collected data is encrypted with AES before exfiltration.CitationESET Machete July 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Machete can download additional files for execution on the victim’s machine.CitationESET Machete July 2019 |
| Enterprise | T1025 | Data from Removable Media | Machete can find, encrypt, and upload files from fixed and removable drives.CitationCylance Machete Mar 2017CitationESET Machete July 2019 |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.CitationESET Machete July 2019CitationSecurelist Machete Aug 2014 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Machete has used TLS-encrypted FTP to exfiltrate data.CitationCylance Machete Mar 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Machete logs keystrokes from the victim’s machine.CitationESET Machete July 2019CitationSecurelist Machete Aug 2014CitationCylance Machete Mar 2017Citation360 Machete Sep 2020 |
| Enterprise | T1016.002 | Wi-Fi Discovery Sub-technique | Machete uses the |
| Enterprise | T1120 | Peripheral Device Discovery | Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.CitationESET Machete July 2019 |
| Enterprise | T1005 | Data from Local System | Machete searches the File system for files of interest.CitationESET Machete July 2019 |
| Enterprise | T1008 | Fallback Channels | Machete has sent data over HTTP if FTP failed, and has also used a fallback server.CitationESET Machete July 2019 |
| Enterprise | T1560 | Archive Collected Data | Machete stores zipped files with profile data from installed web browsers.CitationESET Machete July 2019 |
| Enterprise | T1059.006 | Python Sub-technique | Machete is written in Python and is used in conjunction with additional Python scripts.CitationESET Machete July 2019CitationSecurelist Machete Aug 2014Citation360 Machete Sep 2020 |
| Enterprise | T1083 | File and Directory Discovery | Machete produces file listings in order to search for files to be exfiltrated.CitationESET Machete July 2019CitationCylance Machete Mar 2017Citation360 Machete Sep 2020 |
| Enterprise | T1082 | System Information Discovery | Machete collects the hostname of the target computer.CitationESET Machete July 2019 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.CitationESET Machete July 2019 |
| Enterprise | T1113 | Screen Capture | Machete captures screenshots.CitationESET Machete July 2019CitationSecurelist Machete Aug 2014CitationCylance Machete Mar 2017Citation360 Machete Sep 2020 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique |
Groups, software, and campaigns
G0095: Machete
Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 602a1fb25b19… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Machete July 2019
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
Open source URL -
[2]
Securelist Machete Aug 2014
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
Open source URL -
[3]
360 Machete Sep 2020
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
Open source URL -
[4]
Machete
(Citation: Securelist Machete Aug 2014)
-
[5]
Pyark
(Citation: 360 Machete Sep 2020)
-
[6]
mitre-attack S0409Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.