Skip to content

S0409 Machete

Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.123

Item Value
ID S0409
Associated Names Pyark
Version 2.1
Created 13 September 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Pyark 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Machete uses HTTP for Command & Control.143
enterprise T1071.002 File Transfer Protocols Machete uses FTP for Command & Control.143
enterprise T1010 Application Window Discovery Machete saves the window names.1
enterprise T1560 Archive Collected Data Machete stores zipped files with profile data from installed web browsers.1
enterprise T1560.003 Archive via Custom Method Machete‘s collected data is encrypted with AES before exfiltration.1
enterprise T1123 Audio Capture Machete captures audio from the computer’s microphone.243
enterprise T1020 Automated Exfiltration Machete’s collected files are exfiltrated automatically to remote servers.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Machete used the startup folder for persistence.24
enterprise T1217 Browser Information Discovery Machete retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers.1
enterprise T1115 Clipboard Data Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.006 Python Machete is written in Python and is used in conjunction with additional Python scripts.123
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Machete collects stored credentials from several web browsers.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Machete has used base64 encoding.2
enterprise T1005 Data from Local System Machete searches the File system for files of interest.1
enterprise T1025 Data from Removable Media Machete can find, encrypt, and upload files from fixed and removable drives.41
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Machete stores files and logs in a folder on the local drive.14
enterprise T1140 Deobfuscate/Decode Files or Information Machete’s downloaded data is decrypted using AES.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Machete has used AES to exfiltrate documents.1
enterprise T1573.002 Asymmetric Cryptography Machete has used TLS-encrypted FTP to exfiltrate data.4
enterprise T1041 Exfiltration Over C2 Channel Machete‘s collected data is exfiltrated over the same channel used for C2.1
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.12
enterprise T1008 Fallback Channels Machete has sent data over HTTP if FTP failed, and has also used a fallback server.1
enterprise T1083 File and Directory Discovery Machete produces file listings in order to search for files to be exfiltrated.143
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Once a file is uploaded, Machete will delete it from the machine.1
enterprise T1105 Ingress Tool Transfer Machete can download additional files for execution on the victim’s machine.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Machete logs keystrokes from the victim’s machine.1243
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.1
enterprise T1036.005 Match Legitimate Name or Location Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.12
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Machete has been packed with NSIS.1
enterprise T1027.010 Command Obfuscation Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.41
enterprise T1120 Peripheral Device Discovery Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.1
enterprise T1057 Process Discovery Machete has a component to check for running processes to look for web browsers.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task The different components of Machete are executed by Windows Task Scheduler.12
enterprise T1029 Scheduled Transfer Machete sends stolen data to the C2 server every 10 minutes.1
enterprise T1113 Screen Capture Machete captures screenshots.1243
enterprise T1082 System Information Discovery Machete collects the hostname of the target computer.1
enterprise T1016 System Network Configuration Discovery Machete collects the MAC address of the target computer and other network configuration information.13
enterprise T1049 System Network Connections Discovery Machete uses the netsh wlan show networks mode=bssid and netsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys Machete has scanned and looked for cryptographic keys and certificate file extensions.1
enterprise T1125 Video Capture Machete takes photos from the computer’s web camera.243

Groups That Use This Software

ID Name References
G0095 Machete 21