Hide Navigation Hide TOC

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	3