Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Metador

🌐Metador

🌐 Metador is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 9 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1013) ↗
14Use cases
0Articles
9Techniques
0IOCs

About this actor (MITRE)

[Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013) based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Known aliases

Metador

Top techniques

T1027.013 · Encrypted/Encoded FileT1059.003 · Windows Command ShellT1070.004 · File Deletion

All other tracked techniques

T1071.001 · Web ProtocolsT1095 · Non-Application Layer ProtocolT1105 · Ingress Tool TransferT1546.003 · Windows Management Instrumentation Event SubscriptionT1588.001 · MalwareT1588.002 · Tool

Detection use cases (14)

Metador metaMain/Mafalda loader via cdb.exe Console Debugger LOLBIN AI · profile SΣ Metador Mafalda WMI Event Subscription persistence (filter-to-consumer binding) AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Beaconing — periodic outbound to small set of destinations MITRE match