Go to listing page

Hacker group targets Venezuelan military with Machete malware in cyberespionage campaign

Hacker group targets Venezuelan military with Machete malware in cyberespionage campaign
  • Over 50 computers, half of which belonged to the country’s military forces, were found to actively communicate with the C2 server.
  • The threat actors relied on spearphishing and used real, classified military documents that served as a decoy for the malware.

Security researchers have captured an ongoing cyberespionage campaign that was found targeting military organizations of South American countries, primarily Venezuela. The hacker group involved in the campaign used the Python-based malware, Machete. An updated version of the malware was reported to be used. The campaign was identified by researchers from ESET.

The big picture

  • ESET researchers documented the cyberespionage campaign in a blog. They found over 50 compromised computers that were actively communicating with the C2 server.
  • Half of these computers belonged to the Venezuelan military forces. Following Venezuela, the Ecuadorian military was highly targeted with Machete.
  • The hacker group relied on spearphishing and sent emails to specific targets. The emails had links or attachments that contained a compressed archive of Machete malware and used real, classified military documents as a decoy.
  • It is speculated that the group distributing Machete is a Spanish-speaking group.
  • According to the researchers, the group is using a new version of the malware. The new version has py2exe binaries. Backdoor components are also included in these libraries.
  • Machete components are capable of performing a host of actions. This includes taking screenshots, logging keystrokes, collecting Wi-Fi passwords, exfiltrating specific files, among others.

Malware get frequent updates

The researchers indicate that Machete malware is continually updated with new features. “ESET has been tracking this threat for months and has observed several changes, sometimes within weeks. At the time of this publication, the latest change introduced six backdoor components, which are no longer py2exe executables,” they said.

    Cyware Publisher