Skip to content

Hide Navigation Hide TOC

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3