>samit_hota
Back to adversary profiles
G1013HighActive

Metador (G1013): An Elusive Cyber Espionage Group

Samit Hota·
Suspected Origin
Unknown
Motivation
Espionage
Aliases
None documented
Target Sectors
Telecommunications, Internet Service Providers, Academia
Associated Malware
metaMain, Mafalda, Cryshell, cdb.exe
#threat-actor#g1013

Overview

Metador (G1013) is a highly skilled and elusive cyber espionage group that first came to public attention in September 2022, though evidence suggests their operations have been ongoing since at least late 2020. This group primarily focuses on long-term intelligence gathering, meticulously targeting telecommunication companies, internet service providers (ISPs), and academic institutions across the Middle East and Africa. Their motivation appears to be pure cyber espionage, aligning with state-level interests, though direct attribution to a specific nation-state remains a “garbled mystery.” Security researchers, noting their sophisticated custom malware and rigorous operational security (OpSec), speculate that Metador may operate as a high-end contractor rather than a direct government entity.

The group’s name, “Metador,” is derived from the string “I am meta” found within one of their malware samples and the expectation of Spanish-language responses from their command-and-control (C2) servers. Further cultural references, such as British pop-punk lyrics and an Argentinian political cartoon, hint at a diverse, possibly Spanish-speaking, developer and operator base. A distinguishing characteristic of Metador is their exceptional OpSec, which has allowed them to evade detection for extended periods and segment their infrastructure meticulously for each victim.

Tactics & Techniques

Metador’s operational approach combines rudimentary, “living-off-the-land” (LOLBins) techniques with advanced, carefully executed methods to achieve persistent access and minimize their footprint. While their initial infection vector often remains undiscovered, once inside a network, Metador demonstrates a clear understanding of system internals and security evasion.

For persistence and execution, Metador frequently leverages Windows Management Instrumentation (WMI) event subscriptions in conjunction with unusual LOLBins such as cdb.exe (Microsoft’s Console Debugger). This debugger is notably employed to decrypt and load their custom malware platforms directly into memory, a significant defense evasion tactic. By operating entirely in-memory and avoiding disk writes in an unencrypted state, they make static analysis and traditional signature-based detection extremely challenging. The group is also known to quickly delete LOLBins like cdb.exe after successful malware deployment to remove indicators of their presence. Their malware, particularly Mafalda, utilizes multi-layered obfuscation, further complicating analysis. Metador also employs encrypted payloads, another technique to avoid detection.

In terms of command and control (C2), Metador maintains stringent infrastructure segmentation, dedicating a single external IP address per victim network. They utilize both HTTP and raw TCP protocols for C2 communications, with servers hosted by a Dutch provider. Furthermore, they have been observed using a custom Linux implant, Cryshell, for bouncing connections within internal networks to external C2 servers, featuring support for custom port knocking sequences to enhance stealth.

Once established, Metador’s implants enable extensive data collection capabilities. Their Mafalda implant can read directory contents, manipulate system registries, and inspect compromised systems for valuable information. The group aims for long-term access, allowing them to log keystrokes, take screenshots, perform various file operations, download and upload arbitrary files, and execute shellcode, all in support of their espionage objectives. Their ability to rapidly deploy intricate countermeasures when security solutions are detected highlights their adaptability and advanced operational security.

Notable Campaigns

While no specific named campaigns beyond their initial discovery have been publicly detailed, Metador’s operations are characterized by a limited number of intrusions focused on high-value targets. The group’s activities were first uncovered by SentinelLabs during an analysis of a telecommunication company’s network in the Middle East. Intriguingly, this network was already compromised by several other advanced persistent threat (APT) groups, including state-sponsored entities like Iran’s MuddyWater and China’s Moshen Dragon. This observation suggests that Metador targets highly desirable organizations and, notably, does not prioritize “deconfliction,” meaning they are seemingly unconcerned with cohabiting a network already infested by other adversarial groups. This is a notable deviation from the typical behavior of many nation-state actors who often try to avoid overlapping operations.

Associated Malware & Tools

Metador employs a sophisticated arsenal of custom-developed malware, all designed with a strong emphasis on in-memory operation and evasion.

  • metaMain: This is a Windows-based backdoor that functions entirely in memory. It provides the operators with a rich set of features, including the ability to log keystrokes, capture screenshots, perform file manipulation, download and upload arbitrary files, and execute shellcode. metaMain also serves as the initial dropper and loader for the more advanced Mafalda implant.
  • Mafalda (aka Metatron): Considered a cornerstone of Metador’s toolkit, Mafalda is a highly flexible, interactive, and modular Windows implant that also operates exclusively in memory. It supports a wide array of commands—up to 67 in observed variants—enabling extensive capabilities such as file operations, registry manipulation, system inspection, credential theft, network reconnaissance, and data exfiltration to the C2 server. Researchers note that Mafalda is under active and continuous development, with newer variants featuring intense obfuscation to hinder analysis.
  • Cryshell: This is a custom Linux implant designed for sophisticated C2 operations. Cryshell’s primary function is to bounce connections within an internal network to external C2 servers, utilizing custom port knocking sequences to establish covert communication channels.
  • Unknown Linux Malware: Alongside Cryshell, researchers identified indications of other Linux malware. This implant is believed to be used for collecting materials from compromised Linux environments and funneling them back to Mafalda for exfiltration.
  • cdb.exe: While not malicious in itself, Microsoft’s Console Debugger (cdb.exe) is a legitimate living-off-the-land binary that Metador abuses. They use it as a loader to decrypt and load their metaMain and Mafalda implants directly into system memory, effectively bypassing many traditional security solutions that monitor for suspicious executable files.

Current Status

Metador remains an active and formidable threat. The ongoing development and maintenance of their sophisticated malware platforms, particularly Mafalda, clearly indicate sustained operations. The group’s entry in the MITRE ATT&CK knowledge base, last modified in April 2024, further solidifies its current relevance and the ongoing monitoring by the cybersecurity community. Although initially reported in late 2022, Metador had already been operating for at least two years prior to its public discovery, showcasing a remarkable ability to remain undetected. Their continued focus on meticulous operational security, including segmented infrastructure and in-memory execution, makes them exceptionally challenging to track and analyze. The discovery of Metador serves as a stark reminder that a class of well-resourced and highly adept threat actors continues to operate in the shadows, traversing networks with impunity.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call