G1013: Metador
Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.[1]
Analyst context for executives and security teams
Metador matters because ATT&CK describes it as a suspected cyber espionage group reported in 2022 with targeting of a limited number of telecommunications companies, internet service providers, and universities in the Middle East and Africa. For leaders, the practical issue is not broad exposure; it is whether high-value networks that provide connectivity, research, or regional operations can detect long-term access, encrypted or encoded payloads, command-and-control traffic, tool transfer, file cleanup, and WMI-based persistence associated through ATT&CK relationships.
Executive priority
Treat this as a threat-intelligence-driven validation case for organizations with similar sector or regional risk, especially telecom, ISP, and university environments. Priority decisions should focus on whether SOC and incident response teams can prove coverage for long-term backdoor access on Windows systems, suspicious web or non-application-layer C2, WMI event subscription persistence, and post-compromise file transfer/deletion. This object is also useful for audit and resilience discussions: can the organization show it collects the evidence needed to reconstruct stealthy activity, not just block known malware names?
Technical view
ATT&CK does not provide a detection section for Metador, so defenders should pivot from the relationships: metaMain and Mafalda software, encrypted/encoded files, Windows command shell execution, file deletion, web protocol C2, non-application-layer C2, ingress tool transfer, WMI event subscription persistence, and pre-compromise acquisition of malware/tools. Validate Windows endpoint visibility for command shell activity, WMI permanent event subscriptions, file creation/deletion patterns, and in-memory or encrypted payload handling where available. Validate network monitoring for unusual HTTP/S or other web-protocol sessions, non-application-layer communications, and file transfers from external systems. Because the group object has no platforms or tactics specified, detection engineering should be scoped to the related techniques and software rather than assuming complete platform coverage from the group record alone.
Likely telemetry
- Windows process creation and command-line logging, especially cmd.exe activity
- Windows WMI event filter, consumer, and binding creation or modification records
- Endpoint file creation, modification, deletion, and quarantine/EDR artifact records
- Network proxy, firewall, DNS, and TLS metadata for web-protocol command-and-control patterns
- Network telemetry capable of identifying non-application-layer protocol use where collected
Detection direction
- Build coverage around the related ATT&CK techniques rather than the sparse group record: T1027.013, T1059.003, T1070.004, T1071.001, T1095, T1105, T1546.003, T1588.001, and T1588.002.
- Tune Windows command-shell analytics to distinguish administrative scripts from unusual execution chains, remote execution context, or command activity tied to suspicious file transfer and cleanup.
- Validate WMI persistence detection for permanent event subscriptions, including filters, consumers, and bindings; this is often a blind spot if only standard process logs are collected.
- Correlate file deletion with prior tool transfer, command execution, or malware alerts to avoid treating cleanup as isolated low-severity activity.
- Review network detections for both common web traffic abuse and non-application-layer communications; proxy-only monitoring may miss some protocol-level behaviors.
Mitigation priorities
- Prioritize logging and retention first: endpoint process, WMI, file, and network telemetry must be available before this activity can be validated or investigated.
- Harden Windows persistence surfaces by reviewing WMI event subscription permissions, administrative access, and change monitoring.
- Apply least privilege and administrative control review to reduce the value of command shell access after compromise.
- Control and monitor outbound traffic, including web protocols and unusual non-application-layer communications, with escalation paths for suspicious destinations or protocol use.
- Strengthen ingress tool transfer controls through egress filtering, proxy inspection where appropriate, endpoint controls, and investigation playbooks for externally sourced files.
Analyst notes and limits
The official ATT&CK group description is limited but meaningful: suspected espionage, first reported in September 2022, limited targeting of telecoms, ISPs, and universities in the Middle East and Africa, with naming details from malware strings and C2 response expectations. Relationship context supplies the main defensive value: metaMain for long-term access and Mafalda as an interactive implant, plus techniques covering obfuscation, execution, cleanup, C2, tool transfer, persistence, and resource development.
No official detection guidance, group-level platforms, or group-level tactics were provided. Related software indicates Windows, while related techniques include Windows, network devices, ESXi, Linux, macOS, and PRE contexts; this should not be interpreted as confirmed Metador activity across all those platforms without additional evidence. The take is based only on supplied ATT&CK fields, external references, and relationships, and requires local telemetry to assess relevance or coverage.
Metador
Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Metador has used HTTP for C2.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Metador has used the Windows command line to execute commands.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1588.001 | Malware Sub-technique | |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Metador has established persistence through the use of a WMI event subscription combined with unusual living-off-the-land binaries such as `cdb.exe`.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Metador has encrypted their payloads.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Metador has quickly deleted `cbd.exe` from a compromised host following the successful deployment of their malware.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | Metador has used TCP for C2.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | Metador has used Microsoft's Console Debugger in some of their operations.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Metador has downloaded tools and malware onto a compromised system.CitationSentinelLabs Metador Sept 2022 |
Groups, software, and campaigns
S1059: metaMain
S1060: Mafalda
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6a29fda4f8a5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelLabs Metador Sept 2022
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
Open source URL -
[2]
mitre-attack G1013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.