S1059: metaMain
Analyst context for executives and security teams
metaMain is a Windows backdoor documented by ATT&CK as being used by Metador to maintain long-term access to compromised machines and to decrypt Mafalda into memory. Its value to defenders is less about a single malware name and more about the access pattern it represents: persistent remote control, in-memory payload handling, collection, credential/input capture, local staging, and exfiltration over command-and-control channels. For business leaders, this is a continuity and incident-response concern because long-term backdoor access can turn a single compromised endpoint into a platform for data theft, credential exposure, and further tool deployment.
Executive priority
Prioritize validation of endpoint, identity, and network visibility for Windows systems that handle sensitive data or privileged activity. The ATT&CK relationships show behaviors tied to collection, credential access, stealth, persistence, command-and-control, and exfiltration, so leaders should ask whether the organization can prove: which hosts have suspicious persistence, which accounts were exposed, what data may have been staged or exfiltrated, and whether C2 traffic can be reconstructed during an investigation. This object is especially relevant to managed detection, incident response readiness, and audit evidence around logging, endpoint control, and data protection.
Technical view
SOC and IR teams should treat metaMain coverage as behavior-led rather than signature-led because ATT&CK provides no official detection text. Validate detections across the related techniques: local file and directory discovery, system/user/process discovery, process injection, registry modification, WMI event subscription persistence, encoded/encrypted artifacts, deobfuscation or in-memory payload handling, screen capture, keylogging/input capture, local data staging, file deletion, timestomping, ingress tool transfer, web or non-application-layer C2, internal proxying, port knocking, and exfiltration over C2. Since the malware platform is Windows, prioritize Windows endpoint telemetry while using network telemetry to confirm C2, proxying, transfer, and exfiltration hypotheses.
Likely telemetry
- Windows endpoint process creation and parent/child process lineage
- Windows registry modification events
- WMI event filter, consumer, and binding activity
- Endpoint memory/injection-related telemetry where available
- File creation, deletion, rename, timestamp, and directory enumeration events
Detection direction
- Build coverage around the ATT&CK-linked behavior chain rather than relying on the malware name alone.
- Correlate discovery activity, persistence changes, tool transfer, staging, and outbound communications from the same Windows host or user context.
- Tune for high-risk combinations such as WMI event subscription plus suspicious network callbacks, process injection plus encoded payload artifacts, or local staging followed by C2-channel exfiltration.
- Review blind spots in encrypted web traffic inspection, endpoint memory visibility, WMI logging, registry auditing, and file timestamp monitoring.
- Use allowlists carefully for administrative tools and WMI usage; false positives are likely where IT management software performs legitimate discovery or remote administration.
Mitigation priorities
- Harden and monitor Windows persistence surfaces, especially WMI event subscriptions and sensitive registry locations.
- Ensure EDR or equivalent endpoint controls collect process, file, registry, WMI, and network context needed for incident reconstruction.
- Restrict unnecessary outbound communications and monitor egress paths for C2, tool transfer, proxying, and exfiltration patterns.
- Apply least privilege and privileged access monitoring to reduce the value of captured credentials or user input.
- Protect sensitive data locations with access monitoring and data-loss controls to detect local collection and staging before exfiltration.
Analyst notes and limits
ATT&CK identifies metaMain as a Windows backdoor used by Metador for long-term access and as a mechanism to decrypt Mafalda into memory. The relationship set provides broad behavioral context across discovery, collection, credential access, stealth, persistence, command-and-control, tool transfer, and exfiltration. Because official detection guidance is not provided, defensive value comes from validating telemetry and analytics for the related techniques in the local environment.
This take uses only the supplied ATT&CK STIX fields, external references, and relationships. ATT&CK does not provide official detection text, aliases, labels, or object-level tactics for metaMain in the supplied data. Related techniques include platforms beyond Windows, but the malware object itself is supplied as Windows; environment-specific evidence is required before asserting exposure, compromise, or detection coverage.
metaMain
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | metaMain can collect the username from a compromised host.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | metaMain's module file has been encrypted via XOR.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1057 | Process Discovery | metaMain can enumerate the processes that run on the platform.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | metaMain has stored the collected system files in a working directory.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | metaMain can establish an indirect and raw TCP socket-based connection to the C2 server.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | metaMain registered a WMI event subscription consumer called "hard_disk_stat" to establish persistence.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1620 | Reflective Code Loading | metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1112 | Modify Registry | metaMain can write the process ID of a target process into the `HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid` Registry value as part of its reflective loading activity.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | metaMain can decrypt and load other modules.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | metaMain has used XOR-based encryption for collected files before exfiltration.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1056 | Input Capture | metaMain can log mouse events.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1106 | Native API | metaMain can execute an operator-provided Windows command by leveraging functions such as `WinExec`, `WriteFile`, and `ReadFile`.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1113 | Screen Capture | metaMain can take and save screenshots.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | metaMain can use HTTP for C2 communications.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | metaMain has delayed execution for five to six minutes during its persistence establishment process.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1005 | Data from Local System | metaMain can collect files and system information from a compromised host.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1083 | File and Directory Discovery | metaMain can recursively enumerate files in an operator-provided directory.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | metaMain can upload collected files and data to its C2 server.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | metaMain can create a named pipe to listen for and send data to a named pipe-based C2 server.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1574.001 | DLL Sub-technique | metaMain can support an HKCMD sideloading start method.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | metaMain can download files onto compromised systems.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | metaMain has deleted collected items after uploading the content to its C2 server.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1056.001 | Keylogging Sub-technique | metaMain has the ability to log keyboard events.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1070.006 | Timestomp Sub-technique | metaMain can change the `CreationTime`, `LastAccessTime`, and `LastWriteTime` file time attributes when executed with `SYSTEM` privileges.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1055 | Process Injection | metaMain can inject the loader file, Speech02.db, into a process.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1205.001 | Port Knocking Sub-technique | metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1082 | System Information Discovery | metaMain can collect the computer name from a compromised host.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
Groups, software, and campaigns
G1013: Metador
Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 03c6eb450a72… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelLabs Metador Sept 2022
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
Open source URL -
[2]
SentinelLabs Metador Technical Appendix Sept 2022
SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
Open source URL -
[3]
mitre-attack S1059Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.