September 30, 2022  — 
Eric Swotinsky

Newly discovered APT Metador targets ISPs, telecoms

A previously unknown threat actor named "Metador" has been breaching telecommunication companies, internet services providers (ISPs), and universities across multiple countries in the Middle East and Africa for about two years.

Metador is primarily focused on the development of cross-platform malware for espionage purposes. The group uses two Windows-based malware variants named metaMain and Mafalda, and an unknown Linux malware that steals data from workstations and channels it back to Mafalda. The Windows-based malware frameworks run only in system memory, leaving no unencrypted traces on the compromised host.

The complexity of this malware and its active development status point towards a well-resourced group that can be expected to improve their tools further. Researchers also found that the developers had documented the malware frameworks and provided guidance for a separate group of operators. Ultimately though, Metador's attribution remains a mystery at this time.

Acronis Cyber Protect Cloud detects and blocks malware used in such attacks, with its included multi-layered behavioral and AI-powered detection engines.