machete

Machete

also known as: El Machete APT-C-43 Ragua Arkantos Live Control mitre: G0095

One of Latin America's longest-running espionage campaigns — active since at least 2010 and confirmed updated through 2019 with continued infrastructure activity. Machete is assessed as Spanish-speaking with roots in Latin America, and focuses heavily on Venezuelan military targets alongside neighboring governments, intelligence services, and diplomatic missions. The group is distinguished by an unusual intelligence priority: alongside standard document theft, Machete specifically seeks out GIS (geographic information system) files, likely to access military navigation routes, positioning data, and grid coordinates that describe how Venezuelan armed forces move and operate. By 2019, the group was exfiltrating gigabytes of confidential documents each week from over 50 active compromised machines.

attributed originVenezuela — Spanish-speaking, Latin American roots (assessed)

mitre group idG0095 (Machete)

active sinceAt least 2010 (infrastructure from 2008)

primary motivationMilitary and government intelligence collection

defining capabilityGIS / military grid file targeting — navigation and positioning intelligence

Primary targets: Venezuelan military, neighboring governments

peak exfiltrationHundreds of GB/week from 50+ active C2 connections (2019)

primary toolPython-based backdoor (Trojan-Spy.Python.Ragua)

current statusACTIVE — continued infrastructure and campaign activity

Overview

Machete is one of the most enduring cyber espionage operations documented in Latin America, with a continuous operational history spanning more than fifteen years. Kaspersky first publicly disclosed the campaign in August 2014, tracing activity back to 2010 and noting infrastructure compilation dates as early as 2008 — making Machete one of the longest-running known espionage actors in the region by any measure. Despite multiple public disclosures of its tools, infrastructure, and indicators of compromise by Kaspersky (2014), Cylance (2017), and ESET (2019), the group has continued operating with relatively minimal disruption, adapting its malware and infrastructure in response to each exposure while maintaining the same core targeting model.

The group's Spanish-language artifacts — embedded in source code, decoy documents, and campaign materials — confirm that operators are native Spanish speakers. Attribution to Venezuela has been assessed by multiple researchers based on the group's consistent and exclusive focus on Venezuelan government and military targets as the primary intelligence collection priority, the use of authentic Venezuelan military documents (including classified radiogramas and personnel assignment files) as lures, and intimate knowledge of Venezuelan military jargon and communication etiquette that points to insider access or very close operational familiarity with the target environment. The Venezuelan attribution assessment is further supported by the group's APT-C-43 designation in Chinese threat intelligence reporting, which noted the group steals Venezuelan military secrets to provide intelligence support.

What distinguishes Machete from generic government espionage actors is its documented collection priority for geographic information system (GIS) files. Alongside standard office document and credential theft, Machete's malware specifically targets file extensions associated with GIS software — navigation route files, military grid formats, positioning data, and mapping files. This collection profile suggests the group's controllers are specifically interested in how Venezuelan armed forces navigate and position themselves: information of direct value to a state-level intelligence program tracking its own military's operational patterns and capabilities, or monitoring adversarial military movements. ESET researchers characterized this as indicating interest in files describing navigation routes and positioning using military grids.

The group's spearphishing tradecraft is particularly refined. Machete operators conduct deep reconnaissance on each target before sending any phishing communication, tailoring lure content, subject lines, and attachments to the specific individual and their role. In some cases, documents stolen from previous victims in an earlier attack are repurposed as lures in the same day they were stolen — a same-day recycling pattern that ESET noted was documented multiple times, with classified documents dated the same day as the phishing delivery. This practice makes lure detection extremely difficult for recipients who are not aware that a previous compromise has occurred.

In March 2022, Check Point Research documented Machete exploiting the Russia-Ukraine war as a lure theme — sending spearphishing emails with a Word document titled "Dark plans of the neo-Nazi regime in Ukraine" to financial organizations in Nicaragua and government entities in Venezuela. This confirmed the group remained actively operational years after its most detailed public exposure, adapting geopolitical cover themes while maintaining the same underlying Python-based malware infrastructure with relatively minor modifications.

Target Profile

Machete's targeting is tightly focused on Latin American military, government, intelligence, and diplomatic organizations, with Venezuela as the consistent primary country. All documented campaigns show a deep familiarity with the target environment suggesting long-term, sustained intelligence collection rather than opportunistic compromise.

Venezuelan Military (primary, highest priority): The Venezuelan armed forces — across multiple branches — are Machete's defining target. In ESET's 2019 investigation, over half of all compromised machines were part of the Venezuelan military specifically. The group's use of authentic Venezuelan military communication formats (radiogramas), correct military jargon, and rank-appropriate lure content demonstrates extensive prior intelligence collection enabling increasingly convincing spearphishing. The specific targeting of GIS files points to an interest in military operational positioning and navigation data.
Venezuelan Government Institutions: Beyond the military, Venezuelan foreign affairs, police, education, and other government sectors have been targeted. In 2019, over 75 percent of all compromised machines across Machete campaigns were Venezuelan government organizations of some kind. The scope of penetration across multiple government sectors in a single country suggests a sustained, comprehensive intelligence collection effort rather than targeted surgical strikes.
Ecuadorean Military: Ecuador's military has been the second most heavily targeted organization in multiple Machete campaign waves, accounting for approximately 16 percent of observed infections in 2019. The targeting of both Venezuelan and Ecuadorean military institutions simultaneously suggests intelligence requirements that span the broader Andean military balance.
Intelligence Services and Government Institutions — Regional: Colombia (7%), Nicaragua (2%), and broader Latin American government organizations have all appeared in Machete victim lists across multiple reporting periods. Cylance's 2017 analysis documented victims in Argentina, Bolivia, Cuba, the Dominican Republic, Guatemala, Mexico, and Nicaragua alongside the core Venezuela/Ecuador/Colombia targets.
Embassies of Latin American Countries: In Russia and other non-Latin American countries, Machete targets appear to be embassies or diplomatic missions of Spanish-speaking Latin American countries rather than the host country's government itself — maintaining geographic focus on Venezuelan and neighboring state targets regardless of where individual diplomats are stationed.
Financial Institutions (2022 expansion): Check Point Research's 2022 documentation of Machete activity showed the group targeting financial organizations in Nicaragua — an expansion beyond its traditional government/military focus, likely driven by the financial sector's role in economic intelligence relevant to sanctions-affected Venezuela and its regional relationships.
Telecommunications and Power Companies: MITRE ATT&CK and multiple vendor analyses document Machete targeting utilities and telecommunications providers as part of its broader government/critical sector targeting profile.

Tactics, Techniques & Procedures

Machete's TTP set is characterized by social engineering sophistication rather than technical exploit complexity. The group has never been documented using zero-day vulnerabilities — its success comes from the quality of its lures, the depth of target reconnaissance, and the persistent refinement of its Python-based toolset in response to each public exposure.

mitre id	technique	description
T1566.001	Spear-Phishing — Attachment	The exclusive initial access method across all documented Machete campaigns. Emails are individually crafted for each target using authentic military terminology, rank-appropriate formatting, and Venezuelan/regional military communication conventions. Attachments are compressed self-extracting archives (RAR/ZIP/SCR), malicious Word documents with macro payloads, or PowerPoint files — each running the Machete Python backdoor on execution while displaying a legitimate decoy document. Stolen documents from previous victims are repurposed as lures, sometimes on the same day they were exfiltrated, making the lures indistinguishable from legitimate communications for recipients who are unaware of prior compromise.
T1566.002	Spear-Phishing — Link	Some campaigns deliver malware via links to externally hosted archives rather than direct attachments, using free web hosting services (Hostinger) and dynamic DNS providers (No-IP) to host payloads. Fake blog websites have also been used as infection vectors — users are directed to pages that appear to offer relevant political or military content but silently deliver the Machete downloader.
T1059.006	Command and Scripting — Python	Machete's backdoor is written in Python and compiled into Windows executables using PyInstaller or similar tools, embedding all necessary Python libraries within the installer. This produces large executables (over 3MB) but provides the group with rapid development capability and ease of modification. The malware is obfuscated using base64 encoding and various XOR encoding schemes. The Python-based architecture has been the group's consistent technical choice since initial discovery, updated with new features across multiple generations documented by Kaspersky (2014), Cylance (2017), and ESET (2018–2019).
T1056.001	Input Capture — Keylogging	A dedicated keylogger runs as a separate process and script, recording all keystrokes on compromised systems. The keylogger uses the Python interpreter (ReaderSetting.exe) to run a separate script (SearchAdobeReader). This provides credential harvesting and the ability to monitor communications typed by the operator on compromised systems. In the 2022 campaign documented by Check Point Research, keylogging was one of the primary documented malware capabilities alongside screenshotting.
T1113	Screen Capture	The Machete backdoor takes screenshots of the compromised system at regular intervals, providing the operators with visual confirmation of what the target is working on, which documents are open, and what communications are visible on screen. Screenshots are uploaded to C2 infrastructure alongside keystroke logs and collected files.
T1005 / T1025	Data from Local System / Removable Media	The Machete backdoor collects files from fixed drives and removable media matching a predefined extension list. Targeted extensions include standard office documents (.doc, .docx, .pdf, .xlsx, .xls, .ppt, .pptx), compressed archives (.rar, .zip), ODF formats (.odt, .ott, .ods, .ots, .odp, .odm), and — most distinctively — GIS file formats associated with military navigation software. PGP/GPG encrypted files and private key rings are also specifically targeted, potentially to access otherwise-encrypted communications or credentials stored with PGP protection. Files are AES-CBC encrypted before upload using a static key.
T1115	Clipboard Data	The malware accesses and exfiltrates clipboard contents, capturing text copied by the operator including passwords, credentials, and document content that may not be otherwise logged by the keylogger. Check Point Research's 2022 analysis documented clipboard collection alongside keylogging, confirming this capability persisted in updated versions of the malware.
T1041	Exfiltration Over C2 Channel	Collected files are AES-CBC encrypted with a predefined static key before upload to C2 infrastructure. Dynamic DNS domains (No-IP) are used for C2 to maintain resilience against IP-based blocking. The group has used free hosting services (Hostinger) and Taiwan-based servers for infrastructure, with C2 domains consistently reused across multiple campaigns providing attribution anchors. In the 2019 campaign, Machete was exfiltrating hundreds of gigabytes of confidential material each week from the active compromised machine pool.

GIS file targeting — military navigation intelligence

Machete's specific targeting of geographic information system files — navigation routes, military grid formats, positioning data — is its defining intelligence collection signature and a key indicator of state intelligence sponsorship. Standard espionage actors target documents, credentials, and communications. An actor that additionally targets GIS files describing how armed forces navigate and position themselves is serving an intelligence client that wants to understand military operational patterns, movement corridors, and positional data — the kind of requirement that only a state-level consumer of military intelligence would have. This distinguishes Machete from criminal actors using similar tooling.

Known Campaigns

Machete has operated continuously for over fifteen years, with key public disclosures documenting specific campaign waves rather than distinct operations. Each disclosure triggered tool and infrastructure changes while the core espionage mission continued uninterrupted.

Initial Discovery — Latin American Espionage Campaign 2010–2014 (disclosed August 2014)

Kaspersky's August 2014 disclosure was the first public documentation of Machete, identifying 778 victims across Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain. The group had been active since 2010 with infrastructure compilation dates extending to 2008. Kaspersky noted the attackers appeared to be Spanish-speaking Latin Americans based on language artifacts. No zero-day exploits were used — all access was through social engineering and malware. Primary targets included intelligence services, military, embassies, and government institutions. The malware used Python-embedded executables, a technical choice Kaspersky noted as unusual and not offering attackers any particular advantage over other approaches — consistent with a developer community where Python fluency was the practical tool of choice rather than a deliberate technical decision.

Resurgence — 300+ Victims, 100GB+ Exfiltrated 2017

Cylance's SPEAR Team documented a significant resurgence in Machete activity, identifying over 300 unique victims in Latin America over a single month-long monitoring period and over 100GB of exfiltrated data stored on a command and control server. Victims were primarily in Argentina, Colombia, Ecuador, Peru, and Venezuela, with broader coverage across Bolivia, Cuba, the Dominican Republic, Guatemala, Mexico, and Nicaragua. Outside Latin America, victims in Canada, England, Germany, Korea, Russia, Ukraine, and the United States were also identified — primarily embassies or foreign postings of Latin American government personnel. Cylance documented the group's use of NSIS self-extracting archives, free dynamic DNS domains, Hostinger cheap web hosting for payload delivery, and AES-CBC encryption for exfiltration. Cylance noted with concern that Machete had continued operating largely unimpeded despite multiple rounds of public IOC disclosure, with antivirus detection rates for current samples remaining very low.

Operation Sharpened Machete — Venezuelan Military Focus March–May 2019 (disclosed August 2019)

ESET's investigation documented the most detailed picture of Machete operations to date, monitoring the group between March and May 2019 as it actively compromised over 50 machines simultaneously, exfiltrating gigabytes of confidential documents each week. Venezuela dominated the victim geography at 75 percent, with Ecuador (16%), Colombia (7%), and Nicaragua (2%) following. Over half of all compromised machines belonged to the Venezuelan military specifically, with others in Venezuelan police, education, and foreign affairs. ESET highlighted the group's use of authentic stolen documents as same-day lures — documents marked classified and dated May 21, 2019 were bundled with malware and used as phishing attachments on the same day — demonstrating very rapid intelligence-to-operations cycling. ESET also confirmed the GIS file targeting, identifying military navigation and grid format files as a distinct collection priority. The malware used since April 2018 was a new Python version with extended capabilities compared to versions documented in previous analyses.

Ukraine War Lure Campaign — Nicaragua and Venezuela March 2022

Check Point Research documented Machete exploiting the Russia-Ukraine war as a lure theme in March 2022 — weeks after Russia's full-scale invasion began. The group sent spearphishing emails to financial organizations in Nicaragua and government entities in Venezuela using a Word document titled "Dark plans of the neo-Nazi regime in Ukraine," attributed to the Russian Ambassador to Nicaragua, Alexander Khokholikov. The document contained malicious macros delivering an updated Machete payload (JavaOracle.msi) with a hardcoded tag of "Foo_Fighters_Everlong." The Adobe malware component used the tag "Utopiya_Nyusha_Maksim," which Machete had used since 2020 — confirming operational continuity. The campaign demonstrated the group's rapid adaptation of geopolitical cover themes while maintaining the same underlying Python malware infrastructure with minor modifications, confirming continued active operation years after each prior disclosure.

Tools & Malware

Machete's toolset is centered on a single continuously developed Python-based implant, with delivery mechanisms and infrastructure adapted in response to each public exposure. The group's technical sophistication is moderate — its effectiveness derives from social engineering quality rather than exploit complexity.

Machete Python Backdoor (Trojan-Spy.Python.Ragua): The group's primary and defining tool across all documented campaigns. A Python-based remote access and data collection implant compiled into Windows executables via PyInstaller, embedding all necessary Python libraries. Capabilities include keylogging (via dedicated subprocess), screenshotting, clipboard collection, file enumeration and collection from fixed and removable drives (targeting office documents, GIS files, PGP keys, and other defined extensions), browser credential theft (Chrome and Firefox), file upload/download, and remote command execution. AES-CBC encryption with a static key is used for C2 communication. Configuration files are obfuscated with XOR encoding schemes. The malware disguises itself as Google or Adobe applications on compromised systems.
JavaOracle.msi / Adobe Malware Component (2022 variants): Updated delivery mechanisms documented by Check Point Research in 2022. JavaOracle.msi serves as the MSI-based dropper, while separate Python script components handle specific collection functions. Hardcoded campaign tags ("Foo_Fighters_Everlong" in the 2022 wave; "Utopiya_Nyusha_Maksim" used since 2020) are embedded in the malware, providing attribution anchors for researchers tracking campaign continuity. Each Python script file is base64-obfuscated.
NSIS Self-Extracting Archives: Nullsoft Installer self-extracting archives (.exe/.scr) were the primary delivery mechanism documented in earlier campaigns. NSIS's support for multiple compression routines (ZLib, BZip2, LZMA) provides obfuscation of embedded malicious code. Compilation dates of NSIS installers have been traced back to 2008 in forensic analysis, establishing the earliest known Machete infrastructure date.
Malicious Office Documents (Word Macros): Macro-enabled Word documents are the delivery vector documented in 2022 campaigns. Documents are crafted to appear as legitimate government or news content, with macros executing the Machete downloader chain on opening. Check Point Research documented the use of Russia-Ukraine war-themed documents as lures for this delivery method.
Dynamic DNS Infrastructure (No-IP): Machete consistently uses free dynamic DNS providers — particularly No-IP — for C2 domains. This provides resilience against IP-based blocking and allows rapid C2 infrastructure rotation without incurring hosting costs. The free domain services also blend with legitimate use of dynamic DNS by small organizations, slightly reducing the anomaly signal of such traffic on monitoring systems.

Indicators of Compromise

Machete regularly rotates infrastructure in response to public disclosures. The behavioral indicators below are more durable than specific domains or IP addresses, which change across campaign waves.

malware behavioral indicators

processReaderSetting.exe — Python interpreter used to run keylogger subprocess (SearchAdobeReader)

disguiseMalware presents as Google or Adobe application on compromised systems

tag 2020+Utopiya_Nyusha_Maksim — hardcoded C2 communication tag used from 2020 onward

tag 2022Foo_Fighters_Everlong — hardcoded campaign tag in 2022 JavaOracle.msi variant

file targetsSpecific GIS file format extensions targeted alongside .doc/.pdf/.xlsx/.odt/.rar/.zip

file targetsPGP/GPG encrypted files and private key rings specifically collected

exfilAES-CBC encryption with static key applied to files before upload to C2

c2 patternDynamic DNS (No-IP/HopTo) domains for C2; free hosting (Hostinger) for payload delivery

historical c2 domains (cylance 2017 — rotate frequently)

domainjristr.hopto[.]org — documented C2 domain (historical)

pattern*.hopto[.]org / *.zapto[.]org / *.no-ip[.]biz — No-IP subdomain patterns used across campaigns

noteC2 infrastructure rotated after each public disclosure — historical domains have limited current value

Mitigation & Defense

Machete's exclusive reliance on social engineering rather than technical exploits means that no amount of patch management eliminates the threat. Defense must focus on spearphishing detection, email security, and user awareness — particularly for organizations in Venezuelan and Latin American government and military sectors.

Implement advanced email security with macro blocking: All Machete initial access is through email-delivered malware. Email security gateways that sandbox attachments, block macro-enabled Office documents from external senders, and detect compressed archive payloads (RAR/ZIP/SCR containing executables) provide the primary defensive layer. Microsoft's Attack Surface Reduction rules that block Office macros from spawning child processes directly address the 2022 Word macro delivery method.
Deploy user security awareness training focused on military/government lures: Machete's lures are tailored to use authentic Venezuelan military communication formats, jargon, and rank conventions. Training personnel to recognize that even highly authentic-looking communications from known senders could be compromised-account phishing is essential — particularly given the group's practice of using documents stolen from other compromised victims as same-day lures.
Monitor for Python interpreter processes in unexpected contexts: Machete's backdoor runs via Python interpreters (ReaderSetting.exe, the compiled PyInstaller executable) in locations and contexts where Python is not a normal business application. EDR alerting on Python interpreter execution from user profile directories, temp folders, or disguised as Adobe/Google applications provides detection capability for the implant regardless of which campaign variant is present.
Alert on large-volume file collection of GIS extensions: Machete specifically targets GIS file formats. Data loss prevention (DLP) rules and EDR file access monitoring that alert on bulk enumeration and access of GIS format files — particularly combined with access to military grid or navigation format files — can detect Machete collection activity even when the initial access goes undetected.
Block or monitor No-IP and free dynamic DNS outbound traffic: Machete consistently uses No-IP and similar free dynamic DNS services for C2. Organizations with no legitimate business use of free dynamic DNS domains should consider blocking outbound connections to No-IP domain name spaces (*.hopto.org, *.zapto.org, *.no-ip.biz, etc.) or alerting on such connections as anomalous. This disrupts C2 communication even when the specific domain is not known in advance.
Implement document metadata validation and DLP policies: The group recycles stolen documents as lures. Organizations that regularly handle classified or sensitive documents should implement controls verifying that documents originating externally do not contain metadata suggesting they were originally created internally — a signal that a document may have been stolen from a previous victim and re-weaponized.

analyst note — persistence despite disclosure

Machete's fifteen-year operational continuity despite repeated detailed public disclosures of its tools, infrastructure, and indicators of compromise is remarkable. Kaspersky (2014), Cylance (2017), and ESET (2019) each published comprehensive technical analyses including IOC lists — yet each subsequent research report found the group still active, newly adapted, and still exfiltrating significant volumes of intelligence. The lesson for defenders is that public IOC disclosure alone does not disrupt a well-resourced group with state backing: Machete's operators have consistently modified their malware within weeks of each exposure, rotated their infrastructure, and resumed operations against the same target categories. Defense requires behavioral detection and architectural controls rather than reliance on static IOC blocklists that Machete has demonstrated it can work around rapidly.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile