S1000: ACAD/Medre.A
ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.[1]
Analyst context for executives and security teams
ACAD/Medre.A matters because it represents malware focused on stealing operational design information, specifically AutoCAD drawing files. For executives and security leaders, the practical risk is not only malware infection; it is loss of engineering, plant, or production knowledge that can support industrial espionage, competitive harm, or later targeting of operational environments.
Executive priority
Treat this as an information-protection and operational-resilience issue for environments that store or exchange engineering drawings. Leaders should ask where AutoCAD and similar operational design files reside, who can access them, whether file movement is monitored, and whether incident response plans cover theft of engineering artifacts as well as disruption. Because ATT&CK provides no platform or detection details for this object, prioritization should be based on local exposure: presence of sensitive CAD files, business criticality of those designs, and audit or contractual obligations around intellectual property protection.
Technical view
SOC, detection engineering, and IR teams should validate visibility around local collection and theft of operational information, aligned to the related ATT&CK techniques T0893 Data from Local System and T0882 Theft of Operational Information. Practical validation should focus on whether endpoints and file repositories containing AutoCAD drawings generate usable evidence for unusual access, staging, copying, compression, or outbound transfer of design files. Since no official detection guidance or platform is specified, teams should avoid assuming coverage and instead test telemetry availability in the actual engineering and operations file workflows.
Likely telemetry
- Endpoint file access and file creation events for AutoCAD drawing repositories and local workstations
- File server or document repository audit logs showing reads, copies, renames, and bulk access to engineering files
- Endpoint process execution and scripting or command-line activity where available, especially around local file discovery or collection
- Data loss prevention, proxy, mail, or network egress logs showing transfer of CAD or design artifacts
- Authentication and access logs for users and systems with access to operational drawings
Detection direction
- Inventory where operational drawings and AutoCAD files are stored before writing detections; unknown file locations are a primary blind spot.
- Baseline normal engineering access patterns so alerts on bulk reads, unusual working hours, new destinations, or unexpected users can be tuned without overwhelming analysts.
- Correlate local file collection indicators with egress, email, removable media, or repository access evidence to distinguish routine engineering work from possible theft.
- Validate whether security tooling is deployed on engineering workstations and file servers; ATT&CK does not specify platforms or built-in detection logic for this malware.
- Use the relationship to T0893 and T0882 to frame detections around data collection and theft outcomes rather than relying on malware-name matching alone.
Mitigation priorities
- Classify and locate sensitive operational drawings and engineering design files, then restrict access to business-justified users and systems.
- Enable and retain audit logging on systems and repositories that store operational design information.
- Apply least privilege and periodic access review for engineering repositories, shared drives, and local storage locations containing CAD files.
- Implement monitoring or DLP-style controls for bulk movement or external transfer of design artifacts where business processes allow.
- Ensure incident response playbooks include evidence preservation and business decision points for suspected theft of operational information, including legal, compliance, and operational leadership notification paths.
Analyst notes and limits
The supplied ATT&CK object describes ACAD/Medre.A as a worm that collects AutoCAD drawing files and can be used for industrial espionage. The relationship context ties it to theft of operational information and data collection from local systems. The strongest defensive value is to verify protection and monitoring around engineering data, not to assume that a malware signature alone will address the risk.
ATT&CK provides no official detection text, no specified platforms, no tactics, and no aliases for this object in the supplied fields. Any assessment of likelihood, affected operating systems, active exploitation, specific infection vectors, or vendor detection coverage requires local telemetry or the cited external report and cannot be concluded from the supplied STIX fields alone.
ACAD/Medre.A
ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0882 | Theft of Operational Information | ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information. CitationESET |
| ICS | T0893 | Data from Local System | ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. CitationESET |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0ef6986d51b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET
ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13
Open source URL -
[2]
mitre-attack S1000Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.