Skip to content

Hide Navigation Hide TOC

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3