Threat Actor Profile
High APT
Description

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Confidence Score
90%
Known Aliases
Metador
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (9)
T1071.001 - Web Protocols
Command and Control
T1095 - Non-Application Layer Protocol
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1059.003 - Windows Command Shell
Execution
T1546.003 - Windows Management Instrumentation Even…
Privilege Escalation
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Metador'],
 'created': '2023-01-25T23:57:51.818Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Metador](https://attack.mitre.org/groups/G1013) is a '
                'suspected cyber espionage group that was first reported in '
                'September 2022. '
                '[Metador](https://attack.mitre.org/groups/G1013) has targeted '
                'a limited number of telecommunication companies, internet '
                'service providers, and universities in the Middle East and '
                'Africa. Security researchers named the group '
                '[Metador](https://attack.mitre.org/groups/G1013) based on the '
                '"I am meta" string in one of the group\'s malware samples and '
                'the expectation of Spanish-language responses from C2 '
                'servers.(Citation: SentinelLabs Metador Sept 2022)',
 'external_references': [{'external_id': 'G1013',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1013'},
                         {'description': 'Ehrlich, A., et al. (2022, '
                                         'September). THE MYSTERY OF METADOR | '
                                         'AN UNATTRIBUTED THREAT HIDING IN '
                                         'TELCOS, ISPS, AND UNIVERSITIES. '
                                         'Retrieved January 23, 2023.',
                          'source_name': 'SentinelLabs Metador Sept 2022',
                          'url': 'https://assets.sentinelone.com/sentinellabs22/metador#page=1'}],
 'id': 'intrusion-set--bfc5ddb3-4dfb-4278-8928-020e1b3feddd',
 'modified': '2024-04-11T00:46:59.526Z',
 'name': 'Metador',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Massimiliano Romano, BT Security',
                          'Sittikorn Sangrattanapitak'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (9)
Web Protocols
Command and Control
Non-Application Layer Protocol
Command and Control
Ingress Tool Transfer
Command and Control
Encrypted/Encoded File
Defense Evasion
File Deletion
Defense Evasion
View All 9 TTPs
Back to Threat Actors
Dashboard Home