{
	"id": "382b0d40-6635-4e7d-8fe9-9d0749e11512",
	"created_at": "2026-04-06T00:14:39.640862Z",
	"updated_at": "2026-04-10T13:11:43.663848Z",
	"deleted_at": null,
	"sha1_hash": "d0b7578af90f782eaeaab4fdd081dd8c8c8dfba6",
	"title": "MATA: Multi-platform targeted malware framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1315901,
	"plain_text": "MATA: Multi-platform targeted malware framework\r\nBy GReAT\r\nPublished: 2020-07-22 · Archived: 2026-04-05 21:15:57 UTC\r\nAs the IT and OT environment becomes more complex, adversaries are quick to adapt their attack strategy. For\r\nexample, as users’ work environments diversify, adversaries are busy acquiring the TTPs to infiltrate systems.\r\nRecently, we reported to our Threat Intelligence Portal customers a similar malware framework that internally we\r\ncalled MATA. The MATA malware framework possesses several components, such as loader, orchestrator and\r\nplugins. This comprehensive framework is able to target Windows, Linux and macOS operating systems.\r\nThe first artefacts we found relating to MATA were used around April 2018. After that, the actor behind this\r\nadvanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified\r\nseveral victims from our telemetry and figured out the purpose of this malware framework.\r\nWindows version of MATA\r\nThe Windows version of MATA consists of several components. According to our telemetry, the actor used a\r\nloader malware to load the encrypted next-stage payload. We’re not sure that the loaded payload is the\r\norchestrator malware, but almost all victims have the loader and orchestrator on the same machine.\r\nComponent of the Windows version of MATA\r\nLoader\r\nThis loader takes a hardcoded hex-string, converts it to binary and AES-decrypts it in order to obtain the path to\r\nthe payload file. Each loader has a hard-coded path to load the encrypted payload. The payload file is then AES-https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 1 of 9\n\ndecrypted and loaded.\r\nFrom the loader malware found on one of the compromised victims, we discovered that the parent process which\r\nexecutes the loader malware is the “C:\\Windows\\System32\\wbem\\WmiPrvSE.exe” process. The WmiPrvSE.exe\r\nprocess is “WMI Provider Host process”, and it usually means the actor has executed this loader malware from a\r\nremote host to move laterally. Therefore, we assess that the actor used this loader to compromise additional hosts\r\nin the same network.\r\nOrchestrator and plugins\r\nWe discovered the orchestrator malware in the lsass.exe process on victims’ machines. This orchestrator malware\r\nloads encrypted configuration data from a registry key and decrypts it with the AES algorithm. Unless the registry\r\nvalue exists, the malware uses hard-coded configuration data. The following is a configuration value example\r\nfrom one orchestrator malware sample:\r\nVictim ID Random 24-bit number\r\nInternal version number 3.1.1 (0x030101)\r\nTimeout 20 minutes\r\nC2 addresses\r\n108.170.31[.]81:443\r\n192.210.239[.]122:443\r\n111.90.146[.]105:443\r\nDisk path or URL of plugin (up to 15) to be loaded on start Not used in this malware\r\nThe orchestrator can load 15 plugins at the same time. There are three ways to load them:\r\nDownload the plugin from the specified HTTP or HTTPS server\r\nLoad the AES-encrypted plugin file from a specified disk path\r\nDownload the plugin file from the current MataNet connection\r\nThe malware authors call their infrastructure MataNet. For covert communication, they employ TLS1.2\r\nconnections with the help of the “openssl-1.1.0f” open source library, which is statically linked inside this module.\r\nAdditionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet\r\nimplements both client and server mode. In server mode the certificate file “c_2910.cls” and the private key file\r\n“k_3872.cls” are loaded for TLS encryption. However, this mode is never used.\r\nThe MataNet client establishes periodic connections with its C2. Every message has a 12-byte-long header, where\r\nthe first DWORD is the message ID and the rest is the auxiliary data, as described in the table below:\r\nMessage\r\nID\r\nDescription\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 2 of 9\n\n0x400\r\nComplete the current MataNet session and delay the next session until the number of logical\r\ndrives is changed or a new active user session is started.\r\n0x500 Delete configuration registry key and stop MATA execution until next reboot.\r\n0x601 Send configuration data to C2.\r\n0x602 Download and set new configuration data.\r\n0x700\r\nSend the C2 the infected host basic information such as victim ID, internal version number,\r\nWindows version, computer name, user name, IP address and MAC address.\r\n0x701\r\nSend the C2 the configuration settings such as victim ID, internal version number and session\r\ntimeout.\r\nThe main functionality of the orchestrator is loading each plugin file and executing them in memory. Each DLL\r\nfile type plugin provides an interface for the orchestrator and provides rich functionality that can control infected\r\nmachines.\r\nPlugin name Description\r\nMATA_Plug_Cmd.dll\r\nRun “cmd.exe /c” or “powershell.exe” with the specified parameters, and\r\nreceive the output of the command execution.\r\nMATA_Plug_Process.dll\r\nManipulate process (listing process, killing process, creating process,\r\ncreating process with logged-on user session ID).\r\nMATA_Plug_TestConnect.dll\r\nCheck TCP connection with given IP:port or IP range.\r\nPing given host or IP range.\r\nMATA_Plug_WebProxy.dll\r\nCreate a HTTP proxy server. The server listens for incoming TCP\r\nconnections on the specified port, processing CONNECT requests from\r\nclients to the HTTP server and forwarding all traffic between client and\r\nserver.\r\nMATA_Plug_File.dll\r\nManipulate files (write received data to given file, send given file after\r\nLZNT1 compression, compress given folder to\r\n%TEMP%\\~DESKTOP[8random hex].ZIP and send, wipe given file, search\r\nfile, list file and folder, timestomping file).\r\nMATA_Plug_Load.dll\r\nInject DLL file into the given process using PID and process name, or inject\r\nXORed DLL file into given process, optionally call export function with\r\narguments.\r\nMATA_Plug_P2PReverse.dll Connect between MataNet server on one side and an arbitrary TCP server on\r\nthe other, then forward traffic between them. IPs and ports for both sides are\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 3 of 9\n\nspecified on the call to this interface.\r\nThere is an interesting string inside the MATA_Plug_WebProxy plugin – “Proxy-agent: matt-dot-net” – which is a\r\nreference to Matt McKnight’s open source project. There are some differences though. Matt’s project is written in\r\nC# rather than C++. The MATA proxy is noticeably simpler, as there is no cache and no SSL support, for instance.\r\nIt’s possible that MATA’s authors found and used the source code of an early version of Matt’s proxy server. It\r\nlooks like the malware author rewrote the code from C# to C++ but left this footprint unchanged.\r\nProxy-agent of MATA_Plug_WebProxy.dll plugin\r\nNon-Windows version of MATA\r\nThe MATA framework targets not only the Windows system but also Linux and macOS systems.\r\nLinux version\r\nDuring our research, we also found a package containing different MATA files together with a set of hacking\r\ntools. In this case, the package was found on a legitimate distribution site, which might indicate that this is the\r\nway the malware was distributed. It included a Windows MATA orchestrator, a Linux tool for listing folders,\r\nscripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version\r\nof the MATA orchestrator bundled together with a set of plugins. China-based security vendor Netlab also\r\npublished a highly detailed blog on this malware.\r\nThe module is designed to run as a daemon. Upon launch, the module checks if it is already running by reading\r\nthe PID from “/var/run/init.pid” and checks if the “/proc/%pid%/cmdline” file content is equal to\r\n“/flash/bin/mountd”. Note that “/flash/bin/mountd” is an unusual path for standard Linux desktop or server\r\ninstallations. This path suggests that MATA’s Linux targets are diskless network devices such as routers, firewalls\r\nor IoT devices based on x86_64. The module can be run with the “/pro” switch to skip the “init.pid” check. The\r\nAES-encrypted configuration is stored in the “$HOME/.memcache” file. The behavior of this module is the same\r\nas the Windows MATA orchestrator previously described. The plugin names of Linux MATA and the\r\ncorresponding Windows plugins are:\r\nLinux plugin Corresponding Windows plugin\r\n/bin/bash MATA_Plug_Cmd\r\nplugin_file MATA_Plug_File\r\nplugin_process MATA_Plug_Process\r\nplugin_test MATA_Plug_TestConnect\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 4 of 9\n\nplugin_reverse_p2p MATA_Plug_P2PReverse\r\nNote that the Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a\r\n“scan” command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik\r\nRouterOS devices) and 8292 (“Bloomberg Professional” software) and random IP addresses excluding addresses\r\nbelonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used\r\nby attackers for target selection.\r\nmacOS version\r\nWe discovered another MATA malware target for macOS uploaded to VirusTotal on April 8, 2020. The malicious\r\nApple Disk Image file is a Trojanized macOS application based on an open-source two-factor authentication\r\napplication named MinaOTP.\r\nTrojanized macOS application\r\nThe Trojanized main TinkaOTP module is responsible for moving the malicious Mach-O file to the Library folder\r\nand executing it using the following command:\r\ncp TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib ~/Library/.mina \u003e /dev/null 2\u003e\u00261 \u0026\u0026 chmod +x\r\n~/Library/.mina \u003e /dev/null 2\u003e\u00261 \u0026\u0026 ~/Library/.mina \u003e /dev/null 2\u003e\u00261\r\nUpon launch, this malicious Mach-o file loads the initial configuration file from\r\n“/Library/Caches/com.apple.appstotore.db”.\r\nLike another strain running on a different platform, the macOS MATA malware also runs on a plugin basis. Its\r\nplugin list is almost identical to the Linux version, except that it also contains a plugin named “plugin_socks”. The\r\n“plugin_socks” plugin is similar to “plugin_reverse_p2p” and is responsible for configuring proxy servers.\r\nVictims\r\nBased on our telemetry, we have been able to identify several victims who were infected by the MATA\r\nframework. The infection is not restricted to a specific territory. Victims were recorded in Poland, Germany,\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 5 of 9\n\nTurkey, Korea, Japan and India. Moreover, the actor compromised systems in various industries, including a\r\nsoftware development company, an e-commerce company and an internet service provider.\r\nWe assess that MATA was used by an APT actor, and from one victim we identified one of their intentions. After\r\ndeploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several\r\ndatabase queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer\r\ndatabase, but it’s certain that customer databases from victims are one of their interests. In addition, MATA was\r\nused to distribute VHD ransomware to one victim, something that will be described in detail in an upcoming blog\r\npost.\r\nVictims of MATA\r\nAttribution\r\nWe assess that the MATA framework is linked to the Lazarus APT group. The MATA orchestrator uses two unique\r\nfilenames, c_2910.cls and k_3872.cls, which have only previously been seen in several Manuscrypt variants,\r\nincluding the samples (0137f688436c468d43b3e50878ec1a1f) mentioned in the US-CERT publication.\r\nUnique file name\r\nMoreover, MATA uses global configuration data including a randomly generated session ID, date-based version\r\ninformation, a sleep interval and multiple C2s and C2 server addresses. We’ve seen that one of the Manuscrypt\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 6 of 9\n\nvariants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA\r\nframework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session\r\nID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have\r\na similar structure.\r\nManuscrypt configuration structure\r\nConclusion\r\nThe MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In\r\naddition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals\r\ncustomer databases and distributes ransomware. We evaluate that this malware is going to evolve, so we will be\r\nmonitoring its activity in order to protect our customers.\r\nFor more information please contact: intelreports@kaspersky.com\r\nIndicators of compromise\r\nFile Hashes (malicious documents, Trojans, emails, decoys)\r\nWindows Loader\r\nf364b46d8aafff67271d350b8271505a\r\n85dcea03016df4880cebee9a70de0c02\r\n1060702fe4e670eda8c0433c5966feee\r\n7b068dfbea310962361abf4723332b3a\r\n8e665562b9e187585a3f32923cc1f889\r\n6cd06403f36ad20a3492060c9dc14d80\r\n71d8b4c4411f7ffa89919a3251e6e5cb\r\na7bda9b5c579254114fab05ec751918c\r\ne58cfbc6e0602681ff1841afadad4cc6\r\n7e4e49d74b59cc9cc1471e33e50475d3\r\na93d1d5c2cb9c728fda3a5beaf0a0ffc\r\n455997E42E20C8256A494FA5556F7333\r\n7ead1fbba01a76467d63c4a216cf2902\r\n7d80175ea344b1c849ead7ca5a82ac94\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 7 of 9\n\nbf2765175d6fce7069cdb164603bd7dc\r\nb5d85cfaece7da5ed20d8eb2c9fa477c\r\n6145fa69a6e42a0bf6a8f7c12005636b\r\n2b8ff2a971555390b37f75cb07ae84bd\r\n1e175231206cd7f80de4f6d86399c079\r\n65632998063ff116417b04b65fdebdfb\r\nab2a98d3564c6bf656b8347681ecc2be\r\ne3dee2d65512b99a362a1dbf6726ba9c\r\nfea3a39f97c00a6c8a589ff48bcc5a8c\r\n2cd1f7f17153880fd80eba65b827d344\r\n582b9801698c0c1614dbbae73c409efb\r\na64b3278cc8f8b75e3c86b6a1faa6686\r\nca250f3c7a3098964a89d879333ac7c8\r\ned5458de272171feee479c355ab4a9f3\r\nf0e87707fd0462162e1aecb6b4a53a89\r\nf1ca9c730c8b5169fe095d385bac77e7\r\nf50a0cd229b7bf57fcbd67ccfa8a5147\r\nWindows MATA\r\nbea49839390e4f1eb3cb38d0fcaf897e    rdata.dat\r\n8910bdaaa6d3d40e9f60523d3a34f914    sdata.dat\r\n6a066cf853fe51e3398ef773d016a4a8\r\n228998f29864603fd4966cadd0be77fc\r\nda50a7a05abffb806f4a60c461521f41\r\nec05817e19039c2f6cc2c021e2ea0016\r\nRegistry path\r\nHKLM\\Software\\Microsoft\\KxtNet\r\nHKLM\\Software\\Microsoft\\HlqNet\r\nHKLM\\Software\\mthjk\r\nLinux MATA\r\n859e7e9a11b37d355955f85b9a305fec    mdata.dat\r\n80c0efb9e129f7f9b05a783df6959812    ldata.dat, mdata.dat\r\nd2f94e178c254669fb9656d5513356d2   mdata.dat\r\nLinux log collector\r\n982bf527b9fe16205fea606d1beed7fa    hdata.dat\r\nOpen-source Linux SoCat\r\ne883bf5fd22eb6237eb84d80bbcf2ac9    sdata.dat\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 8 of 9\n\nScript for exploiting Atlassian Confluence Server\r\na99b7ef095f44cf35453465c64f0c70c    check.vm, r.vm\r\n199b4c116ac14964e9646b2f27595156    r.vm\r\nmacOS MATA\r\n81f8f0526740b55fe484c42126cd8396    TinkaOTP.dmg\r\nf05437d510287448325bac98a1378de1    SubMenu.nib\r\nC2 address\r\n104.232.71.7:443\r\n107.172.197.175:443\r\n108.170.31.81:443\r\n111.90.146.105:443\r\n111.90.148.132:443\r\n172.81.132.41:443\r\n172.93.184.62:443\r\n172.93.201.219:443\r\n185.62.58.207:443\r\n192.210.239.122:443\r\n198.180.198.6:443\r\n209.90.234.34:443\r\n216.244.71.233:443\r\n23.227.199.53:443\r\n23.227.199.69:443\r\n23.254.119.12:443\r\n67.43.239.146:443\r\n68.168.123.86:443\r\nSource: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nhttps://securelist.com/mata-multi-platform-targeted-malware-framework/97746/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/"
	],
	"report_names": [
		"97746"
	],
	"threat_actors": [],
	"ts_created_at": 1775434479,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0b7578af90f782eaeaab4fdd081dd8c8c8dfba6.pdf",
		"text": "https://archive.orkl.eu/d0b7578af90f782eaeaab4fdd081dd8c8c8dfba6.txt",
		"img": "https://archive.orkl.eu/d0b7578af90f782eaeaab4fdd081dd8c8c8dfba6.jpg"
	}
}