{ "id": "230984b8-e40a-41a5-857f-6ff6d76d086f", "created_at": "2026-04-06T00:14:48.918967Z", "updated_at": "2026-04-10T13:13:09.931381Z", "deleted_at": null, "sha1_hash": "3693488d4a60024e669684b38299dea83a25e0ad", "title": "The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4390481, "plain_text": "The Mystery of Metador | An Unattributed Threat Hiding in\r\nTelcos, ISPs, and Universities\r\nBy Juan Andrés Guerrero-Saade\r\nPublished: 2022-09-22 · Archived: 2026-04-05 16:37:26 UTC\r\nBy Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski\r\nExecutive Summary\r\nSentinelLABS researchers uncovered a never-before-seen advanced threat actor we’ve dubbed ‘Metador’.\r\nMetador primarily targets telecommunications, internet service providers, and universities in several\r\ncountries in the Middle East and Africa.\r\nThe operators are highly aware of operations security, managing carefully segmented infrastructure per\r\nvictim, and quickly deploying intricate countermeasures in the presence of security solutions.\r\nMetador’s attack chains are designed to bypass native security solutions while deploying malware\r\nplatforms directly into memory. SentinelLABS researchers discovered variants of two long-standing\r\nWindows malware platforms, and indications of an additional Linux implant.\r\nAt this time, there’s no clear, reliable sense of attribution. Traces point to multiple developers and operators\r\nthat speak both English and Spanish, alongside varied cultural references including British pop punk lyrics\r\nand Argentinian political cartoons.\r\nWhile Metador appears primarily focused on enabling collection operations aligned with state interests,\r\nwe’d point to the possibility of a high-end contractor arrangement not tied to a specific country.\r\nThis release is a call to action for threat intelligence researchers, service providers, and defenders to\r\ncollaborate on tracking an elusive adversary acting with impunity.\r\nRead the Full Report\r\nIntroduction\r\nThe term ‘Magnet of Threats’ is used to describe targets so desirable that multiple threat actors regularly\r\ncohabitate on the same victim machine in the course of their collection. In the process of responding to a series of\r\ntangled intrusions at one of these Magnets of Threats, SentinelLABS researchers encountered an entirely new\r\nthreat actor. We dubbed this threat actor ‘Metador’ in reference to the string “I am meta” in one of their malware\r\nsamples and the expectation of Spanish-language responses from the command-and-control servers.\r\nOur research on Metador was presented at the inaugural LABScon in Arizona. In this post, we offer a short\r\nsummary of our full findings, which include a detailed report, threat indicators, and an extensive Technical\r\nAppendix.\r\nMetador | Hiding in a Magnet of Threats\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 1 of 10\n\nThe Magnet of Threats in question contained a redundant layering of nearly ten (10) known threat actors of\r\nChinese and Iranian origin, including Moshen Dragon and MuddyWater. Among them, we noticed the use of an\r\nunusual LOLbin, the Microsoft Console Debugger cdb.exe . CDB was the root of an intricate infection chain\r\nthat would yield two in-memory malware platforms and indications of additional Linux implants.\r\nThe intrusions we uncovered were located primarily in telcos, ISPs, and universities in the Middle East and\r\nAfrica. We believe that we’ve only seen a small portion of the operations of what’s clearly a long-running threat\r\nactor of unknown origin.\r\nThroughout our analysis, we retrieved and analyzed examples of two different malware platforms used by\r\nMetador–‘metaMain’ and ‘Mafalda’. These Windows-based platforms are intended to operate entirely in-memory\r\nand never touch disk in an unencrypted fashion, eluding native security products and standard Windows\r\nconfigurations with relative ease. The internal versioning of Mafalda suggests that this platform has been in use\r\nfor some time, and its adaptability during our engagement alone highlights active and continuing development.\r\nWe also found indications of additional implant(s):\r\n‘Cryshell’– a custom implant used for bouncing connections in an internal network to external command-and-control servers, with support for custom port knocking sequences.\r\nUnknown Linux malware used to pilfer materials from other machines in the target environment and route\r\ntheir collection back to Mafalda.\r\nPart of the difficulty in tracking the breadth of Metador’s operations involves their strict adherence to\r\ninfrastructure segmentation. The attackers use a single IP per victim and build.\r\nAttributing Metador remains a garbled mystery. We encountered multiple languages, with diverse idiosyncrasies\r\nindicative of multiple developers. There are indications of a separation between developers and operators, and\r\ndespite a lack of samples, the version history for at least one of the platforms suggests a history of development\r\nthat extends far beyond the intrusions we’ve uncovered.\r\nTechnical Overview\r\nThe Magnet of Threats in question deployed our XDR solution after they’d been infected by Metador for several\r\nmonths. As such, we have no indication of the original infection vector employed in this or other infections.\r\nOnce on the target, the Metador operators can choose between multiple execution flows to load one or more of\r\ntheir modular frameworks. The execution flow used on our Magnet of Threats combines a WMI persistence\r\nmechanism with an unusual LOLbin in order to kick off the decryption of a multi-mode, in-memory implant we\r\nnamed ‘metaMain’.\r\nmetaMain is a feature-rich backdoor, but in this case the Metador operators used the metaMain implant to decrypt\r\na subsequent modular framework called ‘Mafalda’ into memory.\r\nMafalda is a flexible interactive implant, supporting over 60 commands. It appears to be a highly-valuable asset to\r\nthe Metador operators, with newer variants exhibiting intense obfuscation making them challenging to analyze.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 2 of 10\n\nMetador’s multi-framework execution flow\r\nThe Many Supported Execution Flows of metaMain\r\nmetaMain is an implant framework used to maintain long-term access to compromised machines. It provides\r\noperators with extensive functionality, like keyboard and mouse event logging, screenshot theft, file download and\r\nupload, and the ability to execute arbitrary shellcode.\r\nThe backdoor is keenly aware of its own execution context and runs in one of two modes as a result. The\r\ndevelopers designate these modes by writing out either “I am meta” or “I am main” to a log. We chose to name the\r\nplatform ‘metaMain’ in reference to these two modes.\r\nmetaMain supports multiple start_method’s (i.e., execution flows), with the backdoor’s operations differing\r\nslightly per method. The methods supported are CDB_DEBUGGER, HKCMD_SIDELOADING, and\r\nKL_INJECTED. We briefly describe CDB_DEBUGGER below, the execution flow seen on our Magnet of\r\nThreats. A fuller description of this and additional start_methods, configuration artifacts, and supported commands\r\nare available here.\r\nThe CDB_DEBUGGER start_method\r\nAs the name suggests, this execution scheme relies on CDB, the Microsoft Console Debugger, to carry out the\r\nexecution process. Within this method, there are two possible variations based on whether the implant is invoked\r\nin meta- or main-mode. We witnessed its use in meta-mode, turning the metaMain implant into a glorified loader\r\nfor a Mafalda implant.\r\nIn this case, metaMain’s persistence relies on the abuse of WMI Event Subscriptions. The operators register an\r\nevent consumer named hard_disk_stat .\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 3 of 10\n\nThe hard_disk_stat event consumer\r\nFive to six minutes after booting up, the event triggers the execution of a LOLbin, cdb.exe .\r\nWMI Event Subscription\r\nThe attackers used the following command line:\r\ncdb.exe -cf c:\\windows\\system32\\cdb.ini c:\\windows\\system32\\defrag.exe -module fcache13.db\r\nThe cdb.exe command line\r\nA debugging script, cdb.ini , is used to inject a small amount of shellcode into the debugged process in order to\r\nload metaMain. The shellcode reads, decrypts, and executes metaMain’s reflective DLL Loader from\r\nc:\\windows\\system32\\Speech\\Speech02.db . The DLL’s sole purpose is to then read, decrypt, and load the\r\nmetaMain orchestrator, stored as Speech03.db .\r\nWhen invoked in meta-mode, metaMain serves as a loader for the payload provided as an argument following -\r\nmodule . In our observed case, the executed module was fcache13.db , an encrypted Mafalda payload.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 4 of 10\n\nmain and meta execution modes\r\nMafalda Backdoor Overview\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 5 of 10\n\nThe Mafalda implant extends the backdoor functionalities that metaMain provides and is an actively maintained,\r\nongoing project. We observed two variants of the Mafalda backdoor::\r\n‘Mafalda Clear Build 144’ – compiled with a timestamp of April 2021\r\n‘Obfuscated Mafalda variant’ – compiled with a timestamp of December 2021\r\nThe newer Obfuscated Mafalda variant extends the number of supported commands from 54 to 67 and is rife with\r\nanti-analysis techniques that make analysis extremely challenging.\r\nInterestingly, we noted that Mafalda prints encrypted debugger messages if the name of the host is WIN-K4C3EKBSMMI, possibly indicating the name of the computer used by the developers.\r\nEncrypted debugger messages\r\nIf Mafalda successfully establishes a connection to the C2 server, it builds and sends an initial packet containing\r\ninformation about the host environment and the version of Mafalda being run. Mafalda then executes in a loop,\r\nexchanging packets with the C2 server.\r\nEach packet is of a given type and subtype, uniquely identified by identification numbers, internally refered to as\r\nouter OPC and inner OPC , respectively:\r\nPacket of type 0x71 has no impact on the operation of Mafalda.\r\nPacket of type 0x72 instructs Mafalda to exit the loop and reconnect to the C2 after a sleep period.\r\nPacket of type 0x73 instructs Mafalda that the packet has a subtype:\r\nSubtype 0x81 or 0x82 instructs Mafalda to execute the backdoor command with the command\r\nidentification number stored in the packet.\r\nAny other subtype instructs Mafalda to exit the loop and reconnect to the C2 after a sleep period.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 6 of 10\n\nOverview of Mafalda Backdoor operation\r\nMafalda Backdoor Commands\r\nThe Mafalda backdoor has a total of 67 commands, with 13 of these added in the newer variant, indicating that the\r\nMafalda implant is a maintained, ongoing project.\r\nThe full unobfuscated list of commands, along with the developer’s descriptions, are available from our full\r\nreport. Some of the more interesting commands only available in the newer Mafalda variant include:\r\nCommand 55 – Copies a file or directory from an attacker-provided source filesystem location to an\r\nattacker-provided destination file system location.\r\nCommand 60 – Reads the content of\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 7 of 10\n\n%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Local State\r\nand sends the content to the C2 with a name prefixed with loot\\ .\r\nCommand 63 – Conducts network and system configuration reconnaissance\r\nCommand 67 – Retrieves data from another implant that resides in the victim’s network and sends the data\r\nto the C2\r\nThe functionalities of the backdoor commands have a very broad scope and include credential theft, data and\r\ninformation theft, command execution, system registry and file system manipulation, and Mafalda\r\nreconfiguration.\r\nCryshell and Additional Implants\r\nWhen the TCP KNOCK communication method is enabled, the metaMain and Mafalda implants can establish an\r\nindirect connection to the C2 server through another implant. On Windows systems, this implant is internally\r\nreferred to as ‘Cryshell’. metaMain and Mafalda authenticate themselves to Cryshell through a port-knocking and\r\nhandshake procedure.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 8 of 10\n\nMafalda authenticates itself to Cryshell\r\nMafalda also supports retrieval of data from Linux machines with another implant that sends data to the C2 as part\r\nof a packet with a name prefixed with loot_linux\\ . Though it’s possible that this unnamed Linux implant and\r\nCryshell are the same, Mafalda authenticates itself to the Linux implant through a different port-knocking and\r\nhandshake procedure.\r\nInfrastructure\r\nIn all Metador intrusions we’ve observed, the operators use a single external IP address per victim network. That\r\nIP is utilized for command-and-control over either HTTP (metaMain, Mafalda) or raw TCP (Mafalda). In all\r\nconfirmed instances, the servers were hosted on LITESERVER, a Dutch hosting provider.\r\nIn addition to HTTP, external Mafalda C2 servers also support raw TCP connections over port 29029. We also\r\nobserved some of Metador’s infrastructure host an SSH server at an unusual port. While SSH is commonly used\r\nfor remote access to *nix systems, we find it hard to believe that a mature threat actor would expose their\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 9 of 10\n\ninfrastructure in such a way. Instead, it’s likely those were used to tunnel traffic through Mafalda’s internal\r\nportfwd commands.\r\nWe were able to identify one additional server we believe is operated by Metador actors, also hosted on Liteserver\r\n– 5.2.78[.]14 . This IP hosts what appears to be a malicious domain, networkselfhelp[.]com , which might\r\nhave been used as a C2 for Metador intrusions. If so, it’s an indication that Metador operators not only utilize IPs\r\nfor their intrusions, but also domains.\r\nAttribution\r\nThe limited number of intrusions and long-term access to targets suggests that the threat actor’s primary motive is\r\nespionage. Moreover, the technical complexity of the malware and its active development suggest a well-resourced group able to acquire, maintain and extend multiple frameworks.\r\nMetador was observed mainly in Telecoms, Internet Service Providers (ISP), and Universities in the Middle East\r\nand Africa, and appears intended to provide long-term access in multiple redundant ways.\r\nMafalda internal documentation suggests the implant is maintained and developed by a dedicated team, leaving\r\ncomments for a separate group of operators.\r\nConclusion\r\nRunning into Metador is a daunting reminder that a different class of threat actors continues to operate in the\r\nshadows with impunity. Previous threat intelligence discoveries have broadened our understanding of the kind of\r\nthreats that are out there but so far, our collective ability to track these actors remains inconsistent at best.\r\nDevelopers of security products in particular should take this as an opportunity to proactively engineer their\r\nsolutions towards monitoring for the most cunning, well-resourced threat actors. High-end threat actors are\r\nthriving in a market that primarily rewards compliance and perfunctory detections.\r\nFrom the perspective of the threat intelligence research community, we are deeply grateful for the contributions of\r\nthe research teams and service providers who have willingly shared their expertise and telemetry for this research.\r\nWe hope that this publication will incentivize further collaboration and provide us with answers to the mystery of\r\nMetador, and to that end we urge interested researchers to read the full version of this report, where a list\r\nIndicators of Compromise can also be found, and its extended Technical Appendix.\r\nRead the Full Report\r\nSource: https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/" ], "report_names": [ "the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "df299f24-89cb-47e3-9515-c018bb501443", "created_at": "2023-11-21T02:00:07.383392Z", "updated_at": "2026-04-10T02:00:03.473887Z", "deleted_at": null, "main_name": "Moshen Dragon", "aliases": [], "source_name": "MISPGALAXY:Moshen Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "ba626326-d049-472c-ba57-b64943d96dc2", "created_at": "2023-11-05T02:00:08.075744Z", "updated_at": "2026-04-10T02:00:03.398399Z", "deleted_at": null, "main_name": "Metador", "aliases": [], "source_name": "MISPGALAXY:Metador", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "afa52232-4252-4c67-ac65-6e60eb113fde", "created_at": "2023-04-26T02:03:03.138144Z", "updated_at": "2026-04-10T02:00:05.366656Z", "deleted_at": null, "main_name": "Metador", "aliases": [ "Metador" ], "source_name": "MITRE:Metador", "tools": [ "metaMain", "Mafalda" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434488, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3693488d4a60024e669684b38299dea83a25e0ad.pdf", "text": "https://archive.orkl.eu/3693488d4a60024e669684b38299dea83a25e0ad.txt", "img": "https://archive.orkl.eu/3693488d4a60024e669684b38299dea83a25e0ad.jpg" } }