Connect with us

Hi, what are you looking for?


Application Security

Researchers Crowdsourcing Effort to Identify Mysterious Metador APT

Cybersecurity sleuths at SentinelLabs are calling on the wider threat hunting community to help decipher a new mysterious malware campaign hitting telcos, ISPs and universities in the Middle East and Africa.

Cybersecurity sleuths at SentinelLabs are calling on the wider threat hunting community to help decipher a new mysterious malware campaign hitting telcos, ISPs and universities in the Middle East and Africa.

The never-before-seen threat actor, called Metador, uses sophisticated technical measures to deploy Windows-based malware implants and clever tricks to avoid detection, but despite months of inspecting the code, SentinelLabs researchers say there’s still no clear, reliable sense of attribution.

At the recent LABScon security conference, SentinelLabs malware hunters Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski shared technical artifacts associated with Metador and kick-started a crowdsourced effort to better understand the adversary.

“We urge defenders in targeted verticals, regardless of location, to check their telemetry for the possible presence of Metador components and to share samples and indicators with the broader research community,” the SentinelLabs team said.

The research team said attempts to attribute Metador ran into multiple roadblocks and prevented complete documentation of the threat actor.

From the Metador report

“Attributing Metador remains a garbled mystery. We encountered multiple languages, with diverse idiosyncrasies indicative of multiple  developers.  There are indications of a  separation between developers and operators. And despite a lack of samples,  the version history for at least one of the platforms suggests a history of development that extends far beyond the intrusions we’ve uncovered. 

Advertisement. Scroll to continue reading.

An interesting divergence in build times suggests a possible working timezone of UTC+1. And cultural references include a Latin American cartoon popular throughout the hispanic diaspora since the 1950s, as well as a quote from a popular 80’s British Pop Punk band. While the targets suggest state interests, we vaguely suspect a contractor arrangement.”

The research team said the hacking teams behind Metador are heavily focused on collection operations aligned with state interests, but noted there are indications this may be the work of a “high-end contractor arrangement” not tied to a specific country.

A technical appendix with IOCs and analysis of the toolset is publicly available for external groups to pick apart the notes, hunt for additional components and share findings in a crowdsourced project.

Matador isn’t the first enduring mystery in the advanced threat actor space where highly skilled and well-resourced hacking teams operate.  

Here’s a partial list, compiled with the help of expert malware hunter Costin Raiu, of major malware campaigns that remain unattributed, or where there are significant gaps in research knowledge:

— TajMahal — A sophisticated APT framework exposed in 2019 that included backdoors, loaders, orchestrators, command and control (C&C) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptographic key stealers, and a file indexer.   Despite this high level of sophistication, only a solitary TajMahal victim was found (a diplomatic entity from a country in Central Asia), suggesting a level of stealth that still leaves researchers dumbfounded.  Project TajMahal also remains unattributed.

— Strider/Sauron —  Strider, aka Sauron, was described as “the pinnacle of cyberespionage tools” that used a cocktail of zero-days and unknown, never-identified methods to deploy implants on .gov targets in several counties.  The malware tools used were capable of stealing information from air gapped networks and supported multiple covert exfiltration channels on various protocols.  As with TajMahal, Strider/Sauron remains unattributed, despite obvious signs suggesting the handiwork of nation state-backed hackers.

— The Encrypted Gauss Payload —  Back in 2012, the Gauss campaign was caught hijacking passwords, banking credentials, and browser cookies from machines connected to Lebanese banks, the first signs of a nation state-backed malware campaign combining data theft with cyberespionage. An enduring mystery of Gauss is the use of a module named Godel that features an encrypted payload. To this day, no one has managed to break the Gauss payload encryption.

— DarkUniverse — This campaign was described as the 27th function of a ShadowBrokers script that was included in the 2017 ‘Lost in Translation’ leak and which was designed to check for traces of other APTs on infected machines. After operating a full cyber-espionage framework undetected for at least eight years, DarkUniverse’s creators suspended the work without being attributed.

Related: DarkUniverse APT Uses Just-in-Time Malware Creation 

Related: “Strider” Espionage Group Targets China, Russia, Europe

Related: TajMahal APT Can Steal Data From CDs, Printer Queues

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...