S1060: Mafalda
Analyst context for executives and security teams
Mafalda matters because it is described as a flexible interactive Windows implant associated in ATT&CK with Metador, a suspected espionage group. The linked behaviors show a post-compromise toolset pattern: discover the host and network, access credentials from LSASS, capture user input or screens, stage and collect local data, and communicate or exfiltrate over command-and-control channels. For leaders, this is less about one malware name and more about whether Windows endpoint, identity, and network controls can prove they would notice an interactive operator moving from discovery to credential access and data collection.
Executive priority
Prioritize Mafalda as a validation case for resilience against hands-on-keyboard intrusion on Windows systems. The business questions are: can the organization detect credential access against LSASS, unusual command shell or PowerShell activity, registry changes, internal proxying, tool transfer, and data staging before sensitive data leaves over C2? This object is especially relevant to incident response readiness, SOC telemetry quality, identity risk reduction, and evidence that endpoint and network monitoring cover post-compromise behavior rather than only known malware signatures.
Technical view
ATT&CK does not provide a dedicated detection section for Mafalda, so defenders should validate coverage through the related techniques. Focus on Windows telemetry for LSASS memory access, PowerShell and cmd execution, registry query and modification, native API-driven process behavior, process/user/system/network discovery, file and directory enumeration, local data staging, screen capture, input capture indicators, ingress tool transfer, internal proxy behavior, web-protocol C2, non-application-layer C2, standard encoding, and exfiltration over the existing C2 channel. Treat the Metador relationship as context, not proof of attribution in local incidents.
Likely telemetry
- Windows endpoint detection and response events for process creation, parent-child process relationships, command-line arguments, and suspicious native API behavior
- Windows security and system logs relevant to credential access, privilege context, and process access to LSASS
- PowerShell logging where enabled, including script block, module, and command history evidence
- Registry access and modification telemetry for query and persistence or defense-impairment patterns
- File system telemetry for enumeration, creation of staging locations, encoded or encrypted files, and tool transfer artifacts
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on the Mafalda name, because official detection guidance is not provided.
- Validate high-fidelity alerts for LSASS access and credential material exposure, with tuning for legitimate administrative and security tools.
- Review PowerShell and Windows Command Shell detections for discovery, collection, staging, and transfer patterns, while accounting for normal administrator activity.
- Correlate host discovery commands, registry queries, process discovery, network connection discovery, and file enumeration into multi-event intrusion narratives instead of isolated low-severity alerts.
- Inspect network monitoring for web-protocol C2, encoded content, non-application-layer communications, internal proxy behavior, and exfiltration over an established C2 channel.
Mitigation priorities
- Harden Windows credential protections around LSASS and restrict administrative privileges that enable credential dumping.
- Improve PowerShell and command shell governance through logging, constrained use where appropriate, and review of administrative baselines.
- Strengthen registry monitoring and change-control processes for keys relevant to persistence, execution, and defense impairment.
- Limit unnecessary outbound communications and monitor egress paths that could support C2, tool transfer, internal proxying, or exfiltration.
- Reduce data exposure by controlling local sensitive data storage and monitoring unusual staging or collection behavior.
Analyst notes and limits
The supplied ATT&CK object identifies Mafalda as a Windows malware implant used by Metador and provides many technique relationships, but no official detection text. The strongest defensive value is to use these relationships as a coverage checklist for SOC engineering, threat hunting, and IR tabletop validation.
This take does not assert current exploitation, customer exposure, or guaranteed detection. Several related techniques have broad platform descriptions in ATT&CK, but the Mafalda object itself lists Windows as its platform. Local telemetry, asset criticality, administrative baselines, and confirmed indicators are required for environment-specific assessment.
Mafalda
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1205.001 | Port Knocking Sub-technique | Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1134.003 | Make and Impersonate Token Sub-technique | Mafalda can create a token for a different user.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1133 | External Remote Services | Mafalda can establish an SSH connection from a compromised host to a server.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Mafalda can delete Windows Event logs by invoking the `OpenEventLogW` and `ClearEventLogW` functions.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Mafalda can encode data using Base64 prior to exfiltration.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Mafalda can execute shell commands using `cmd.exe`.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1112 | Modify Registry | Mafalda can manipulate the system registry on a compromised host.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Mafalda can collect a Chrome encryption key used to protect browser cookies.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Mafalda can create a remote service, let it run once, and then delete it.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | Mafalda can use raw TCP for C2.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Mafalda can place retrieved files into a destination directory.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1005 | Data from Local System | Mafalda can collect files and information from a compromised host.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Mafalda can decrypt files and data.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Mafalda can execute PowerShell commands on a compromised machine.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Mafalda can create a named pipe to listen for and send data to a named pipe-based C2 server.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1057 | Process Discovery | Mafalda can enumerate running processes on a machine.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1056 | Input Capture | Mafalda can conduct mouse event logging.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mafalda can use HTTP for C2.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1049 | System Network Connections Discovery | Mafalda can use the |
| Enterprise | T1012 | Query Registry | Mafalda can enumerate Registry keys with all subkeys and values.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1217 | Browser Information Discovery | Mafalda can collect the contents of the `%USERPROFILE%\AppData\Local\Google\Chrome\User Data\LocalState` file.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1113 | Screen Capture | Mafalda can take a screenshot of the target machine and save it to a file.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Mafalda can send network system data and files to its C2 server.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Mafalda can encrypt its C2 traffic with RC4.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1082 | System Information Discovery | Mafalda can collect the computer name of a compromised host.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Mafalda can download additional files onto the compromised host.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | Mafalda can use the `GetAdaptersInfo` function to retrieve information about network adapters and the `GetIpNetTable` function to retrieve the IPv4 to physical network address mapping table.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Mafalda can collect the username from a compromised host.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1680 | Local Storage Discovery | Mafalda can enumerate all drives on a compromised host.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1134 | Access Token Manipulation | Mafalda can use `AdjustTokenPrivileges()` to elevate privileges.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1106 | Native API | Mafalda can use a variety of API calls.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1083 | File and Directory Discovery | Mafalda can search for files and directories.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1622 | Debugger Evasion | Mafalda can search for debugging tools on a compromised host.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Mafalda can search for a variety of security software programs, EDR systems, and malware analysis tools.CitationSentinelLabs Metador Sept 2022CitationSentinelLabs Metador Technical Appendix Sept 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Mafalda has been obfuscated and contains encrypted functions.CitationSentinelLabs Metador Sept 2022 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Mafalda can dump password hashes from `LSASS.exe`.CitationSentinelLabs Metador Technical Appendix Sept 2022 |
Groups, software, and campaigns
G1013: Metador
Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a42b5039b3df… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelLabs Metador Sept 2022
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
Open source URL -
[2]
mitre-attack S1060Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.