Skip to content

Hide Navigation Hide TOC

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 3
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3