Skip to content

G1013 Metador

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the “I am meta” string in one of the group’s malware samples and the expectation of Spanish-language responses from C2 servers.1

Item Value
ID G1013
Associated Names
Version 1.0
Created 25 January 2023
Last Modified 14 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Metador has used HTTP for C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Metador has used the Windows command line to execute commands.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Metador has established persistence through the use of a WMI event subscription combined with unusual living-off-the-land binaries such as cdb.exe.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Metador has quickly deleted cbd.exe from a compromised host following the successful deployment of their malware.1
enterprise T1105 Ingress Tool Transfer Metador has downloaded tools and malware onto a compromised system.1
enterprise T1095 Non-Application Layer Protocol Metador has used TCP for C2.1
enterprise T1027 Obfuscated Files or Information Metador has encrypted their payloads.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware Metador has used unique malware in their operations, including metaMain and Mafalda.1
enterprise T1588.002 Tool Metador has used Microsoft’s Console Debugger in some of their operations.1


ID Name References Techniques
S1060 Mafalda 12 Make and Impersonate Token:Access Token Manipulation Access Token Manipulation Web Protocols:Application Layer Protocol Browser Information Discovery Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel External Remote Services File and Directory Discovery Clear Windows Event Logs:Indicator Removal Ingress Tool Transfer Input Capture Modify Registry Native API Non-Application Layer Protocol Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Internal Proxy:Proxy Query Registry Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services Port Knocking:Traffic Signaling Private Keys:Unsecured Credentials
S1059 metaMain 12 Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution Exfiltration Over C2 Channel File and Directory Discovery DLL Side-Loading:Hijack Execution Flow Timestomp:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Input Capture Modify Registry Native API Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Process Injection Internal Proxy:Proxy Reflective Code Loading Screen Capture System Information Discovery System Owner/User Discovery Port Knocking:Traffic Signaling Time Based Evasion:Virtualization/Sandbox Evasion