Skip to content

<<< Hide Navigation Hide TOC >>>

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Galaxy ColorsAttack Pat...Intrusion ...Malware
Rows: 98
Loading extensions...
Collapse filters
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.2

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Cluster A Galaxy A Cluster B Galaxy B Level
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 3