{ "id": "cfb57631-2078-4c5f-8ba3-fe6caad92d23", "created_at": "2026-04-06T00:08:13.331665Z", "updated_at": "2026-04-10T03:37:19.416998Z", "deleted_at": null, "sha1_hash": "6308795722c04e3e8c7ae29a7a7ca013535a20ee", "title": "The Mystery of Metador | Unpicking Mafalda’s Anti-Analysis Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2263042, "plain_text": "The Mystery of Metador | Unpicking Mafalda’s Anti-Analysis\r\nTechniques\r\nBy Aleksandar Milenkoski\r\nPublished: 2022-12-01 · Archived: 2026-04-05 17:22:57 UTC\r\nOverview\r\nAt the inaugural LabsCon, we unveiled Metador,  a previously unreported threat actor that targets\r\ntelecommunications, internet service providers, and universities in the Middle East and Africa. We observed\r\nMetador using two versions of a feature-rich backdoor, dubbed ‘Mafalda’, one of which features anti-analysis\r\ntechniques to make analysis challenging.\r\nIn this article, we provide a deep dive into the anti-analysis techniques that Mafalda implements. This article\r\ncomplements our previous report on Metador and offers a deeper understanding of how Mafalda tries to hinder\r\nanalysis and make detection and attribution more challenging for analysts.\r\nThe implementation of Mafalda suggests that the malware is maintained and developed by a dedicated team.\r\nMafalda includes comprehensive backdoor command documentation with comments for a separate group of\r\noperators. In addition, Mafalda implements an execution log that the malware maintains when it runs on an\r\ninfected system. The log provides detailed information about the execution of the malware on the system and\r\ntherefore is a rich resource to analysts. Our previous report discusses the functionalities of Mafalda in greater\r\ndetail.\r\nThroughout our analysis, we retrieved and analyzed two variants of Mafalda, which we refer to as  ‘Mafalda clear\r\nbuild 144’ (compiled with a timestamp of April 2021) and its successor,  ‘obfuscated Mafalda variant’ (compiled\r\nwith a timestamp of December 2021). The newer,  obfuscated Mafalda variant extends the backdoor\r\nfunctionalities that the older variant provides and implements the anti-analysis techniques that we cover in this\r\narticle.\r\nString Obfuscation\r\nMafalda uses obfuscated strings for different purposes, for example, to dynamically resolve library function\r\naddresses through library and library export names, or to store content in the execution log that Mafalda\r\nmaintains. Mafalda obfuscates strings by:\r\nSplitting the strings into multiple portions, with a maximum portion length of 9 characters.\r\nEncrypting and encoding each string portion. Mafalda encodes a portion of an obfuscated string using the\r\nbitmask 0x7F and XOR-encrypts the portion using a portion-specific XOR key of one byte.\r\nTherefore, to restore an obfuscated string into a valid string, Mafalda first decodes and decrypts each of the\r\nstring’s portions, and then concatenates the string portions together.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 1 of 11\n\nThe figure below depicts a snippet of the function that Mafalda executes to decode and decrypt a portion of an\r\nobfuscated string (a2 is a portion of an obfuscated string, v2 is an XOR key).\r\nMafalda’s function for decoding and decrypting string portions\r\nString Encryption\r\nIn addition to the string obfuscation approach, Mafalda works with encrypted versions of strings that may\r\nrepresent an information source to malware analysts. Such strings include segments of the execution log and\r\ndebugger messages that Mafalda generates.\r\nWe noted that Mafalda prints encrypted debugger messages if the name of the computer where it executes is WIN-K4C3EKBSMMI , possibly indicating the name of the computer used by the developers.\r\nEncrypted debugger messages\r\nIn contrast to the Mafalda clear build 144, the obfuscated Mafalda variant writes encrypted strings to its execution\r\nlog. Given that this log provides extensive information about the operation of the malware, encrypting the\r\nexecution log serves to hinder analysis.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 2 of 11\n\nEncrypted (top) and plain text (bottom) Mafalda execution log\r\nWe did not discover evidence of functionality within Mafalda for decrypting the strings it encrypts. This suggests\r\nthat string decryption takes place at Metador’s  command-and-control servers – a simple yet effective technique\r\nfor hindering analysis.\r\nFunction Parameter Obfuscation\r\nMafalda often obfuscates numerical function parameters by calculating parameter values prior to function\r\nexecution using arithmetics and bitwise operations. It may also first calculate a value using arithmetics and bitwise\r\noperations. If the computed value does or does not match a predefined value, Mafalda assigns the correct values to\r\nthe obfuscated parameters. The alternative branch assigns wrong values to the obfuscated parameters.\r\nMafalda applies this obfuscation approach when it executes the function that the implant uses to decode and\r\ndecrypt portions of obfuscated strings (labeled j_str_resolve_sub_18014FE4D in the figure below).\r\nFunction parameter obfuscation; v53 is a portion of an obfuscated string\r\nThis obfuscation technique may direct emulation tools to wrong execution branches and function parameter values\r\n– analysts may use emulation to automate the decryption and decoding of portions of obfuscated strings across the\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 3 of 11\n\nwhole implementation of Mafalda. For example, the iterateAllPaths feature of the flare-emu tool attempts to\r\nemulate all execution paths to a given function and the function itself. For automated deobfuscation, malware\r\nanalysts typically use this feature to emulate functions that deobfuscate strings at runtime. When we used the \r\niterateAllPaths function to emulate j_str_resolve_sub_18014FE4D , Mafalda often directed the tool to the\r\nwrong values of the function’s obfuscated parameters. This resulted in incorrect string decoding and decryption. In\r\nthe figure below, rn and 9 are incorrectly decoded and decrypted strings.\r\nIncorrect string decoding and decryption\r\nHowever, when we used the flare-emu emulateRange functionality for emulating only specific implementation\r\nregions in which Mafalda invokes j_str_resolve_sub_18014FE4D , the tool was more accurate in assigning\r\ncorrect function parameter values. This resulted in correct string decoding and decryption. In the figure below,\r\nSleep and kernel32 are correctly decoded and decrypted strings – Mafalda uses these strings to invoke the\r\nSleep function that is implemented in the kernel32.dll library file.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 4 of 11\n\nCorrect string decoding and decryption\r\nExecution Flow Obfuscation\r\nMafalda is obfuscated at implementation-level such that the compiled code of the implant consists mainly of\r\nobfuscated and non-obfuscated code segments. The majority of the non-obfuscated code segments are functions\r\nthat implement Mafalda functionalities. The obfuscated code segments contain heavily obfuscated code that serves\r\nno purpose but to confuse analysis tools and increase cognitive load.\r\nIn most cases, Mafalda directs execution to the obfuscated code segments through thunk functions – functions that\r\nimplement only a single JMP (jump) instruction that directs execution to a destination location. An obfuscated\r\ncode segment ultimately returns execution to a location that is in the relative vicinity of the appropriate thunk\r\nfunction. This location is the beginning of a non-obfuscated code segment — often the prologue of a function that\r\nimplements Mafalda functionalities. In summary, the obfuscated code segments effectively obfuscate the\r\ninvocation of non-obfuscated functions.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 5 of 11\n\nThe figure below depicts an instance of execution flow obfuscation through thunk functions. The thunk function\r\nentryRoutine directs execution to the location entryRoutine_0 , which marks the beginning of an obfuscated\r\ncode segment. This code segment ultimately returns the execution to a non-obfuscated code segment – the\r\nprologue of the function sub_17808D17767 .\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 6 of 11\n\nExecution flow obfuscation through a thunk function\r\nNext, we discuss some of the obfuscation techniques that the developers of Mafalda have applied to the\r\nobfuscated code segments.\r\nPurposeless Instruction(s)\r\nThe obfuscated code segments in Mafalda contain instructions that serve no purpose in the execution of the code.\r\nThese instructions exist only to increase the cognitive load when an analyst analyzes the instruction stream. In\r\nMafalda, purposeless instructions are placed sequentially or are intertwined with other instructions.\r\nThe table below lists the majority of the purposeless instructions that we encountered in Mafalda’s obfuscated\r\ncode segments (p denotes an instruction parameter).\r\nInstructions Description\r\nrol p,0 / ror\r\np,0\r\nRotates p left or right by 0 bits.\r\nxchg p1, p2\r\nxchg p1, p2\r\nSwaps p1 and p2 two times.\r\nxchg p, p Swaps p with itself.\r\npause\r\nProvides a spin-wait loop hint to the processor. The Mafalda developers have placed this\r\ninstruction very often in the obfuscated code segments to increase cognitive load.\r\nbswap p\r\nbswap p\r\nReverses the byte order of p twice.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 7 of 11\n\npush p\r\npop p\r\nFirst preserves p on the stack and then restores p from the stack without modifying p\r\nbetween these actions.\r\npushfq\r\npopfq\r\nFirst preserves the RFLAGS register on the stack and then restores RFLAGS from the stack\r\nwithout modifying RFLAGS between these actions.\r\nAn example of some purposeless instructions in Mafalda\r\nOpaque Predicates\r\nThe obfuscated code segments in Mafalda implement simple opaque predicates. They involve first issuing the\r\ncmp instruction for comparing a value against itself, which always evaluates to TRUE, and then evaluating the\r\nZF , PF , or the SF flag to direct the execution to a given execution branch.\r\nThe table below lists the majority of the opaque predicates that we encountered in Mafalda’s obfuscated code\r\nsegments. p denotes an instruction parameter and addr a memory address mapped to Mafalda: a virtual\r\naddress or a parameter to a conditional or unconditional jump instruction.\r\nInstructions Description\r\ncmp p, p\r\nJNP/JNZ/JNE/JS\r\n[addr1]\r\n[addr2]: [ . . . ]\r\nThe branch at address [addr1] is never taken, the branch at address [addr2] is always\r\ntaken.\r\ncmp p, p\r\nJP/JZ/JE/JNS [addr1]\r\n[addr2]: [ . . . ]\r\nThe branch at address [addr1] is always taken, the branch at address [addr2] is never\r\ntaken.\r\ncmp p, p\r\nJNP/JNZ/JNE/JS\r\n[addr1]\r\nJMP [addr2]\r\n[addr3]: [. . . ]\r\nThe branch at address [addr1] is never taken, the branch at address [addr2] is always\r\ntaken, the branch at address [addr3] is never taken.\r\nThe execution branches that are always or never taken may contain any instructions, such as the purposeless\r\ninstructions mentioned above.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 8 of 11\n\nAn opaque predicate\r\nUnconditional Jump (JMP) Obfuscations\r\nThe obfuscated code segments in Mafalda contain instructions that obfuscate unconditional jumps to locations in\r\nthe memory mapped to Mafalda. This involves:\r\nConditional execution based on a flag value in the RFLAGS register, for example, the ZF or the PF flag,\r\nsuch that any of the possible flag values (0 or 1) result in the execution of the code at a given destination\r\nlocation; or\r\nUse of multiple, instead of one,  unconditional jumps (trampolines) to direct execution to a given\r\ndestination location.\r\nThe table below lists the majority of the unconditional jump obfuscations sets that we encountered in Mafalda’s\r\nobfuscated code segments ( addr denotes a memory address mapped to Mafalda: a virtual address or a parameter\r\nto a conditional or unconditional jump instruction).\r\nInstructions Description\r\nJP [addr1]\r\nJNP [addr1]\r\n[addr2]: [ . . . ]\r\nThe branch at address [addr1] is always taken, the branch at address [addr2] is never\r\ntaken.\r\nJS [addr1]\r\nJNS [addr1]\r\n[addr2]: [ . . . ]\r\nThe branch at address [addr1] is always taken, the branch at address [addr2] is never\r\ntaken.\r\nJB [addr1]\r\nJNB [addr1]\r\n[addr2]: [ . . . ]\r\nThe branch at address [addr1] is always taken, the branch at address [addr2] is never\r\ntaken.\r\n[addr]: call $ +\r\n[offset]\r\n[ . . . ]\r\n[addr+offset]: [.\r\n. . ]\r\nExecutes the instructions placed at the offset [offset] from the address [addr] where the\r\ncall instruction resides. The instructions between [addr] and [addr+offset] are never\r\nexecuted.\r\nJMP [addr1]\r\n[ . . . ]\r\n[addr2]: JMP\r\n[addr3]\r\n[ . . . ]\r\nDirects execution to multiple locations (addresses [addr1] to [addrN]) through\r\ntrampolines until the final destination location at address [dest_addr] is reached. The\r\ninstructions between the trampolines are never executed. We observed up to 17\r\ntrampolines as part of such an unconditional jump obfuscation.\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 9 of 11\n\n[addr1]:: JMP\r\n[addr2]\r\n[ . . . ]\r\n[addrN]: JMP\r\n[dest_addr]\r\n[ . . . ]\r\n[dest_addr]: [ . .\r\n. ]\r\nUnconditional jump obfuscations\r\nConclusion\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 10 of 11\n\nMafalda’s anti-analysis techniques make the analysis of the malware challenging, which helps the Metador threat\r\nactor to delay effective defensive actions against its operations. Metador takes a number of measures at\r\ninfrastructure- and network-level to hide and protect its operation from defenders. The techniques that this article\r\ndiscusses add to these measures at an executable, malware-implementation level.\r\nBy complementing our previous publication on Metador, we hope that this post will encourage collaboration\r\ntowards further unveiling the mystery of this threat actor.\r\nSource: https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nhttps://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/" ], "report_names": [ "the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques" ], "threat_actors": [ { "id": "ba626326-d049-472c-ba57-b64943d96dc2", "created_at": "2023-11-05T02:00:08.075744Z", "updated_at": "2026-04-10T02:00:03.398399Z", "deleted_at": null, "main_name": "Metador", "aliases": [], "source_name": "MISPGALAXY:Metador", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "afa52232-4252-4c67-ac65-6e60eb113fde", "created_at": "2023-04-26T02:03:03.138144Z", "updated_at": "2026-04-10T02:00:05.366656Z", "deleted_at": null, "main_name": "Metador", "aliases": [ "Metador" ], "source_name": "MITRE:Metador", "tools": [ "metaMain", "Mafalda" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434093, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6308795722c04e3e8c7ae29a7a7ca013535a20ee.pdf", "text": "https://archive.orkl.eu/6308795722c04e3e8c7ae29a7a7ca013535a20ee.txt", "img": "https://archive.orkl.eu/6308795722c04e3e8c7ae29a7a7ca013535a20ee.jpg" } }