Skip to content

Hide Navigation Hide TOC

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68) Malware 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 3
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3