Security Experts:

Connect with us

Hi, what are you looking for?



‘Machete’ Continues to Spy on Spanish-Speaking Countries

The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

Machete was first analyzed by Kaspersky Lab back in 2014. At the time, the company said the operation had been active since 2010, with some improvements made in 2012.

The list of targeted entities included intelligence services, embassies, government institutions and military organizations. A majority of the victims at the time were located in Venezuela, Ecuador and Colombia, but some compromised systems were also identified in Russia (embassies), Peru, Cuba, Brazil, the U.S., Spain, Sweden, and China.

The attackers had used spear-phishing emails and fake blogs to deliver malware capable of logging keystrokes, capturing audio from the microphone, taking screenshots and photos via the webcam, collecting geolocation data, and exfiltrating files to a remote server or a special USB device.

Cylance researchers have also analyzed the campaign and identified over 300 unique victims in the past month. According to the security firm, the attackers managed to steal more than 100 Gb of data from organizations.

A majority of the victims identified by Cylance were located in Ecuador, Venezuela, Peru, Argentina and Colombia, but some targets were also found in Korea, the U.S., the Dominican Republic, Bolivia, Cuba, Guatemala, Nicaragua, Mexico, the U.K., Canada, Germany, Russia and Ukraine.

The types of organizations targeted are mostly the same as reported by Kaspersky, but Cylance also mentioned telecommunications and power companies.

Kaspersky noted in its 2014 report that the attacker appeared to be a native Spanish speaker. Cylance pointed out that it did not see any victims in Brazil, and that the most heavily targeted countries shared a land border with Brazil. This could suggest that the attacks have been launched from Brazil, but it contradicts Kaspersky’s initial finding as Brazilians speak Portuguese.

According to Cylance, the threat actor behind Machete managed to keep its operations alive by moving to a new command and control (C&C) infrastructure and making minor changes to its malware to evade signature-based detection.

“El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples,” said Cylance researchers.

As for Machete victims, experts pointed out that many of the targeted countries are known customers of companies such as FinFisher and Hacking Team, which suggests that they have yet to develop their own cyber capabilities.

Related: “Packrat” Threat Group Targets Latin America

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...