The new Metador group hits orgs with cyberespionage attacks

Metador Threat Group Cyberespionage Telecom ISP Middle East Africa Windows Backdoor Malware

Security researchers have recently identified and shared details about a new hacking group they named ‘Metador,’ targeting telecom firms, internet service providers, and educational institutions. Based on reports, the Metador group aimed their cyberespionage attacks against Middle Eastern and African firms.

The studies about the hacking group also revealed how they are highly aware of security operations, including managing carefully segmented infrastructure per victim and immediately deploying countermeasures versus security solutions.

The researchers have yet to identify Metador’s initial infection vector. Still, it is evident how they have been using two Windows-based malware frameworks, metaMain and Mafalda, towards a compromised environment.


The Metador group has heavily utilised the two custom implants in their attacks.


According to the analysis of the two custom implants, metaMain, and Mafalda, they were initially decrypted and loaded in memory through a Windows debugging tool called cdb[.]exe.

For more details, the Mafalda implant can adapt and accept up to 67 commands given by the operators, although making it hard for researchers to analyse it because of its multi-layered obfuscation capability. Some of the commands that Mafalda can manage are file operations, reading directory contents, manipulating registries, inspecting the compromised system, and forwarding stolen data to the operators’ C2 server.

On the other hand, the metaMain implant is responsible for more direct procedures, such as taking screenshots of the computer, logging keyboard activities, performing file actions, and supporting arbitrary code execution.

Experts stressed that tracking and analysing the Metador group has been challenging since they are using these two custom implants and implementing strict segmentation of the attack infrastructure. Moreover, the malware they are using that entirely runs through LoLBins and in memory aids the hackers in hiding themselves for prolonged periods without raising suspicions.

There is no solid basis for security researchers to hold to study Metador deeper for now. They could only speculate that the threat group could be state-backed actors under a high-end contractor arrangement.

About the author

Leave a Reply