Security Experts:

Connect with us

Hi, what are you looking for?



‘Machete’ Cyberspies Target Military in Venezuela, Ecuador

The threat actor behind the cyberespionage campaign dubbed Machete continues to be active and some of its most recent attacks targeted the military in Venezuela and Ecuador, ESET reported on Monday.

The threat actor behind the cyberespionage campaign dubbed Machete continues to be active and some of its most recent attacks targeted the military in Venezuela and Ecuador, ESET reported on Monday.

Attacks launched by the Machete group were first analyzed by Kaspersky in 2014. The hackers have been active since at least 2010, focusing on Spanish-speaking countries, particularly in Latin America. Some targets have also been identified in Russia (the embassies of Spanish-speaking countries), the United States, Sweden, China, Korea, the United Kingdom, Canada, Germany and Ukraine.

Both Kaspersky’s 2014 report and ESET’s new research suggest that the attackers are native Spanish speakers, but research published in 2017 by Cylance noted that the attacks may originate from Brazil, particularly due to the fact that no victims had been spotted in this country and the most heavily targeted countries share a land border with Brazil. The official language in Brazil is Portuguese, but recent estimates said roughly 460,000 Brazilians, representing 0.23% of the population, speak Spanish fluently.

The recent Machete operations observed by ESET mostly targeted Venezuela (75%), followed by Ecuador (16%), Colombia (7%), and Nicaragua (2%). In the case of Venezuela, over half of the compromised machines belong to the country’s military, while others belong to police, education, foreign affairs and other organizations. Ecuador’s military has also been targeted in recent attacks.

According to ESET, over 50 compromised machines communicated with Machete command and control (C&C) servers between March and May 2019, and the hackers managed to steal hundreds of gigabytes of confidential documents each week.

ESET researchers have noticed that the attackers have used spear-phishing emails tailored to each victim, in some cases delivering their Python-based malware using previously stolen documents.

Machete malware

The malware delivered to victims, typically disguised as a Google application, is capable of taking screenshots, logging keystrokes, accessing the system’s clipboard, exfiltrating files and user data from web browsers, collecting information on geolocation and nearby wireless networks, and executing other malicious components fetched from the C&C server. The attackers appear to be particularly interested in backup, database, PGP, document, vector image, and geographic information system (GIS) files.

ESET says the group behind the Machete attacks continues to be active, regularly changing and improving its malware, infrastructure and phishing tactics.

“The Machete group’s operations are stronger than ever, and our investigation has shown that it is able to evolve quite rapidly, sometimes within weeks,” said ESET researcher Matias Porolli.

Related: “Packrat” Threat Group Targets Latin America

Related: ‘Sowbug’ Hackers Hit Diplomatic Targets Since 2015

Related: Brazilian Hackers Described as Adaptable Pirates

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.