{
	"id": "931530ce-eac4-4988-a012-837fa4439e06",
	"created_at": "2026-04-06T00:10:58.837555Z",
	"updated_at": "2026-04-10T03:25:50.553321Z",
	"deleted_at": null,
	"sha1_hash": "641d18d3ceb7d016e9feab4cbd35f4ce2535f810",
	"title": "InvisiMole: Surprisingly equipped spyware, undercover since 2013",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 415582,
	"plain_text": "InvisiMole: Surprisingly equipped spyware, undercover since 2013\r\nBy Zuzana Hromcová\r\nArchived: 2026-04-05 13:11:54 UTC\r\nThis is the modus operandi of the two malicious components of InvisiMole. They turn the affected computer into a\r\nvideo camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device\r\nmay be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and\r\nstealing the victim’s secrets.\r\nOur telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the\r\ncyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised\r\ncomputers in Ukraine and Russia.\r\nThe campaign is highly targeted – no wonder the malware has a low infection ratio, with only a few dozen\r\ncomputers being affected.\r\nInvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using\r\ntwo other modules that are embedded in its resources. Both of the modules are feature-rich backdoors, which\r\ntogether give it the ability to gather as much information about the target as possible.\r\nExtra measures are taken to avoid attracting the attention of the compromised user, enabling the malware to reside\r\non the system for a longer period of time. How the spyware was spread to the infected machines is yet to be\r\ndetermined by further investigation. All infection vectors are possible, including installation facilitated by physical\r\naccess to the machine.\r\nInstallation and persistence\r\nThe first part of the malware we are looking at is a wrapper DLL, compiled with the Free Pascal Compiler. From\r\nour telemetry, we have observed that this DLL is placed in the Windows folder, masquerading as a legitimate\r\nmpr.dll library file with a forged version info resource.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 1 of 14\n\nFigure 1 – The wrapper DLL poses as a legitimate mpr.dll library, both by its name and version info\r\nWe have not seen a wrapper DLL named differently; however, there are hints in the DLL code that it might be also\r\nnamed fxsst.dll or winmm.dll.\r\nThe first way in which the malware can be launched is by hijacking a DLL. Being placed in the same folder as\r\nexplorer.exe, the wrapper DLL is loaded during the Windows startup into the Windows Explorer process instead\r\nof the legitimate library located in the %windir%\\system32 folder.\r\nWe have found both 32-bit and 64-bit versions of the malware, which makes this persistence technique functional\r\non both architectures.\r\nAs an alternative to DLL hijacking, other loading and persistence methods are possible. The wrapper DLL exports\r\na function called GetDataLength. When this function is called, the DLL checks whether it was loaded by the\r\nrundll32.exe process with either explorer.exe or svchost.exe as its parent process, and only then does it launch the\r\npayload. This suggests other possible persistence methods – by scheduling a task (i.e. having svchost.exe as a\r\nparent process) or by installation in a startup registry key (explorer.exe being the parent process).\r\nRegardless of the persistence method, the behavior of the malware and of the actual payload is the same in all\r\ncases. The wrapper DLL loads both the modules stored in its resources, named RC2FM and RC2CL, and (if DLL\r\nhijacking was used) finally loads the legitimate library into the explorer.exe process, in order not to disrupt the\r\nnormal operation of the application, and thereby remain hidden.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 2 of 14\n\nFigure 2 – Exported functions of the wrapper DLL\r\nTechnical analysis\r\nThe exact date when the malware was compiled is unknown – the recent wrapper DLL samples were tampered\r\nwith by the malware authors, with the PE timestamps manually set to zero values. However, during our research,\r\nwe found an earlier version of the malware with a PE timestamp reading Oct 13, 2013, so the compilation date of\r\nthe later version is almost surely more recent.\r\nFigure 3 – The compilation timestamp is set to zero in all the latest samples\r\nEncryption and decryption\r\nTo increase its level of stealth, the malware protects itself from the eyes of administrators and analysts by\r\nencrypting its strings, internal files, configuration data and network communication. While the RC2FM module\r\nuses a handful of custom ciphers, the wrapper DLL and the RC2CL module share one particular routine for all\r\npurposes, especially for decrypting other malware modules embedded in the wrapper DLL.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 3 of 14\n\nA script that is able to extract the embedded modules RC2FM and RC2CL from the wrapper DLL, using this\r\nroutine, is available on ESET’s malware-research GitHub repository.\r\nFigure 4 – Encryption routine used across the samples (decompiled and disassembled)\r\nModule RC2FM\r\nThe first, smaller module RC2FM contains a backdoor with fifteen supported commands. These are executed on\r\nthe affected computer when so instructed by the attackers. The module is designed to make various changes to the\r\nsystem but it also offers a bunch of spying commands.\r\nA logging option is implemented throughout the file but the name of the log file is not configured in the analyzed\r\nsample. This suggests that it was only used during the development of the malware.\r\nNetwork communication\r\nThis module communicates with C\u0026C servers that are either hardcoded in the sample, or updated later by the\r\nattackers.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 4 of 14\n\nMoreover, the module is able to reach out to the C\u0026C servers even if there is a proxy configured on the infected\r\ncomputer. If a direct connection is unsuccessful, the module attempts to connect to any of its C\u0026C servers using\r\nlocally-configured proxies or proxies configured for various browsers (Firefox, Pale Moon, and Opera).\r\nRC2FM can go as far as inspecting the recently executed applications list and look specifically for portable\r\nbrowser executables:\r\nFirefoxPortable.exe\r\nOperaPortable.exe\r\nRun waterfox.exe\r\nOperaAC.exe\r\nPalemoon-Portable.exe\r\nShould the victim use one of these portable browsers with a proxy server configured, the malware can find that in\r\nthe user’s preferences and use that proxy to communicate with its C\u0026C servers.\r\nC\u0026C communication consists of a series of HTTP GET and POST requests, as shown in Figure 5. The encrypted\r\nrequest includes a PC identifier and timestamp, and optionally some other data. It is worth noting that the RC2FM\r\nmodule uses a number of encryption methods (variations of a simple XOR encryption routine), unlike the other\r\nInvisiMole parts.\r\nFigure 5 – Example of a request sent to the C\u0026C server by the RC2FM module\r\nAfter successfully registering the victim with the C\u0026C server, additional data are downloaded, which are to be\r\ninterpreted on the local computer as backdoor commands.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 5 of 14\n\nCapabilities\r\nRC2FM supports commands for listing basic system information and performing simple changes on the system,\r\nbut also includes a few spyware features. When required by the attacker, it is capable of remotely activating the\r\nmicrophone on the compromised computer and capturing sounds. The audio recordings are encoded to MP3\r\nformat using a legitimate lame.dll library, which is downloaded and misused by the malware.\r\nAnother way in which the malware can interfere with the victim’s privacy is by taking screenshots, which is\r\nanother of the backdoor commands.\r\nThe malware also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is\r\ninserted, it creates a list of all the files on the drive and stores it encrypted in a file.\r\nAll of the collected data can ultimately be sent to the attackers, when the appropriate command is issued.\r\nBackdoor commands\r\nFifteen commands are supported, as listed below. The backdoor interpreter function is visualized in Figure 6.\r\nCommand\r\nID\r\nCommand description\r\n0 List information about mapped drives, list files in a folder, list network shares\r\n2 Create, move, rename, execute or delete a file, delete a directory using the specified path\r\n4 Open a file, set the file pointer to the file beginning\r\n5 Close a previously opened file\r\n6 Write data into a previously opened file\r\n7 Modify file times / delete a file\r\n8 Open a file, set the file pointer to the end of the file\r\n10 Modify file times / delete a file\r\n12 Search files by supplied file mask in a specified directory\r\n13 Take a screenshot\r\n14 Upload or modify files with internal data\r\n15\r\nRecord sound using input audio devices, list available devices, send recordings, change\r\nconfiguration\r\n16 Check whether this module currently has any files open\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 6 of 14\n\nCommand\r\nID\r\nCommand description\r\n17 Update list of C\u0026C servers\r\n19 Create, set, copy, enumerate or delete the specified registry keys or values\r\nFigure 6 – Backdoor interpreter function (original and after our analysis, changed using Group Nodes\r\nfunctionality of IDA Pro for better readability)\r\nModule RC2CL\r\nThe RC2CL module is also a backdoor with extensive spying capabilities. It is started by the wrapper DLL,\r\nlaunched at the same time as the RC2FM module. This one is more complex and offers features for collecting as\r\nmuch data about the infected computer as possible, rather than for making system changes.\r\nInterestingly, there is an option in the RC2CL module to turn off its backdoor functionality and act as a proxy. In\r\nthis case, the malware turns off the Windows firewall and creates a server that relays communication between a\r\nclient and C\u0026C server, or between two clients.\r\nNetwork communication\r\nThe malware communicates with its C\u0026C servers through a TCP socket. Messages sent from a client mimic the\r\nHTTP protocol, but note the invalid \"HIDE\" HTTP verb in the example in Figure 7.\r\nThese requests comprise an identifier of the compromised PC, the request type, and encrypted data that are to be\r\nsent to the attackers, i.e. the results of the backdoor commands or appeals for further instructions.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 7 of 14\n\nFigure 7 – Example of a request sent to the C\u0026C server by the RC2CL module\r\nCapabilities\r\nDepending on the commands received, the backdoor can perform various actions on the infected computer.\r\nCommon backdoors often support commands such as file system operations, file execution, registry key\r\nmanipulation or remote shell activation. This spyware supports all of these instructions and a whole lot more – its\r\n84 commands provide the attackers with all they need to look at their victims more closely.\r\nThe malware can inspect the infected computer and provide various data, from system information such as lists of\r\nactive processes, running services, loaded drivers or available drives, to networking information, including the IP\r\nforward table and the speed of the internet connection.\r\nInvisiMole is capable of scanning enabled wireless networks on the compromised system. It records information\r\nsuch as the SSID and MAC address of the visible Wi-Fi access points. These data can then be compared to public\r\ndatabases, letting the attackers track the geolocation of the victim.\r\nOther commands can provide information about the users of the compromised machine, their accounts and\r\nprevious sessions.\r\nThe software installed on the compromised computer is of particular interest. Which programs are installed on the\r\nsystem? Which of them are executed automatically at each system start or user logon? Which programs are used\r\nby a particular user? If the attackers are interested, they are only one command away from these valuable data.\r\nThe malware can be instructed to search for recently-used documents or other interesting files. It can monitor\r\nspecific directories and removable devices, report any changes and exfiltrate files of the attackers’ choice.\r\nThe malware may enable or disable the User Account Control (UAC), or even bypass the UAC and work with the\r\nfiles in secure locations without having administrator privileges (see more at\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 8 of 14\n\nhttps://wikileaks.org/ciav7p1/cms/page_3375231.html). If the malware is running under the explorer.exe process,\r\nwhich is auto-elevated, it can create an elevated COM object and use it to delete or move files in locations that\r\nrequire admin rights.\r\nWhat is even more disturbing is that it can remotely activate the victim’s webcam and microphone and spy on the\r\nvictim by taking pictures and recording sound. Screen activity can be monitored by capturing screenshots. What is\r\nparticularly interesting about InvisiMole is that not only are the usual “whole display” screenshots taken – it can\r\nseparately capture each window, which helps the attackers gain more information even when the windows are\r\noverlapped.\r\nFurther, one of the backdoor commands is used to replace the contents of drivers with the following names:\r\nblbdrive.sys\r\ncompbatt.sys\r\nsecdrv.sys\r\nWe have not observed the attackers actually using this command but we can speculate that it does so to achieve\r\nadditional persistence on 32-bit systems.\r\nThough the backdoor is capable of interfering with the system (e.g. to log off a user, terminate a process or shut\r\ndown the system), it mostly provides passive operations. Whenever possible, it tries to hide its activities.\r\nFor instance, the malware sniffs around interesting places on the system, reads recent documents or even modifies\r\nsome files. This leaves traces on the system and could raise the victim's suspicions as the time of the last access or\r\nmodification of the files is changed with each such activity. To prevent this, the malware always restores the\r\noriginal file access or modification times, so that the user is unaware of its operation.\r\nAnother example of how the malware authors attempt to act covertly is the way they treat traces left on the disk.\r\nThe malware collects loads of sensitive data, which are then temporarily stored in files and deleted after they have\r\nbeen successfully uploaded to the C\u0026C servers. Even the deleted files can, however, be recovered by an\r\nexperienced system administrator, which could help further investigation of the attack – after the victim becomes\r\naware of it. This is possible due to the fact that some data still reside on a disk even after a file is deleted. To\r\nprevent this, the malware has the ability to safe-delete all the files, which means it first overwrites the data in a file\r\nwith zeroes or random bytes, and only then is the file deleted.\r\nInternal storage\r\nThe backdoor configuration and the data collected are stored in one of two places – a working directory and\r\nworking registry keys. A substantial portion of the backdoor command set is dedicated to manipulating these\r\nstorage locations and their contents.\r\nThe location of the working directory is determined by the instructions from the remote server. The directory is\r\nused as temporary storage for files containing collected data about the compromised computer. Such files share a\r\ncommon naming convention, encryption algorithm and structure. They are encrypted by a simple variation of the\r\nXOR cipher which is used across the malware components. The type of the file can be derived from the 4-byte\r\ncontrol sequences placed at the beginning of the file.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 9 of 14\n\nBesides being a storehouse for the gathered data, the working directory is also home to a copy of the legitimate\r\nWinRAR.exe application. This is copied by the malware and abused by the attackers for compressing the data that\r\nare to be exfiltrated.\r\nThe working registry keys store configuration data, as well as a list of files in the working directory. The data are\r\npacked using a Zlib routine implemented in the malware binary and encrypted with the same cipher as the internal\r\nfiles.\r\nSubdirectory name File name\r\nControl\r\nsequences\r\nFile content\r\n\\ ~mrc_%random%.tmp 932101DA Audio recordings\r\n\\ ~src_%random%.tmp 958901DA Audio recordings\r\n\\ ~wbc_%random%.tmp 938901DA Webcam photos\r\nsc\\ ~sc%random%.tmp DFE43A08 Screenshots\r\n~zlp\\ zdf_%random%.data B1CBF218 Zlib-compressed packages\r\n~lcf\\ tfl_%random% C0AFF208 Internal data\r\nfl_%timestamp%\\strcn%num%\\ fdata.dat A1CAF108\r\nData from removable\r\ndrives\r\nfl_%timestamp%\\strcn%num%\\ index.dat BAAB0019\r\nData from removable\r\ndrives\r\nWinrar\\ WinRAR.exe -\r\nCopy of a legitimate\r\napplication\r\nWinrar\\ comment.txt - -\r\nWinrar\\ descript.ion - -\r\nWinrar\\ Default.SFX - -\r\nWinrar\\ main.ico - -\r\nBackdoor commands\r\nThe backdoor provides more than eighty commands that utilize the working directory and registry keys to store\r\ntheir intermediate results and configuration data. The graph of the backdoor interpreter is shown in Figure 8.\r\nApproximately a third of the commands are dedicated to reading and updating the configuration data stored in the\r\nregistry. The rest of the commands are listed in the table below.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 10 of 14\n\nCommand\r\nID(s)\r\nCommand description\r\n4 List information about files in a directory\r\n6 Upload a file\r\n20 List information about active processes\r\n22 Terminate a process by ID\r\n24 Execute a file\r\n26 Delete a file\r\n28 Get the IP forward table\r\n30 Write data to a file\r\n31 Sleep\r\n38 List account information\r\n40 List information about services on the system\r\n42 List information about loaded drivers\r\n43\r\nCollect basic system information (computer name, OS version, memory status, local time,\r\ndrive information, configured proxy information, system and process DEP policy…)\r\n44 List installed software\r\n46 List local users and session information\r\n48 List applications accessed by users\r\n52 Create a directory structure\r\n78 Create a remote shell\r\n81 Execute a command via a remote shell\r\n91 Enable/disable UAC\r\n93 Log off the user/shutdown/restart the system\r\n101 Monitor and record changes in the specified directories\r\n103 Delete directories\r\n109 Turn the monitor on/off/onto standby\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 11 of 14\n\nCommand\r\nID(s)\r\nCommand description\r\n120 Capture screenshots of the display/active windows\r\n126 Capture screenshots of the display/active windows \u0026 update configuration data\r\n130 List information about resources on unmapped drives\r\n132 Rename/move a file, modify create/access/write times of the file to the given values\r\n134 List information about recently opened files\r\n152 Disconnect (previously connected) remote drives\r\n155\r\nCreate/delete a registry key, set/delete a registry key value, or enumerate registry\r\nvalues/keys/data\r\n159, 161 Disable routing/firewall, create a proxy server on a specified port\r\n172 Repeatedly display a dialog requesting the user to reboot the computer\r\n175 Bypass UAC to manipulate a file\r\n177 Create and write a file, set the create/access/modify times\r\n181 Remove all system restore points\r\n183 Drop (legitimate) WinRAR components\r\n185 Add files to a password-protected archive (password = \"12KsNh92Dwd\")\r\n187 Decrypt, unpack and load a DLL, load executables from its resources RC2CL, RC2FM\r\n189 Create a system restore point\r\n191 Extract a password-protected archive (12KsNh92Dwd)\r\n193 Modify an encrypted file\r\n195 Restart itself after the primary process finishes\r\n197 Send 198 bytes of data hardcoded in the sample\r\n199 Rename/move a file\r\n206 Decrypt, unpack and load a DLL, load executables from its resources RC2CL, RC2FM\r\n211 Upload collected information (captured screenshots, audio recordings, etc.)\r\n213 List information about active windows\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 12 of 14\n\nCommand\r\nID(s)\r\nCommand description\r\n218 API for recording input audio devices\r\n220 API for capturing webcam photos\r\n224 List files executed with each system start\r\n226 List information about enabled wireless networks (MAC address, SSID, beacon interval)\r\n228 Drop a Zlib-compressed package\r\nFigure 8 – Backdoor interpreter function (original and after our analysis, changed using Group Nodes\r\nfunctionality of IDA Pro for better readability)\r\nConclusion\r\nInvisiMole is fully-equipped spyware whose rich capabilities can surely compete with other espionage tools seen\r\nin the wild.\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 13 of 14\n\nWe can only wonder why the authors decided to use two modules with overlapping capabilities. One might think\r\nthe smaller module, RC2FM, is used as an initial reconnaissance tool, while the bigger RC2CL module is only run\r\non interesting targets. This is, however, not the case – both of the modules are launched simultaneously. Another\r\npossible explanation is that the modules might have been crafted by various authors and then bundled together to\r\nprovide the malware operators a more complex range of functionalities.\r\nThe malware uses only a few techniques to avoid detection and analysis, yet, deployed against a very small\r\nnumber of high-value targets, it was able to stay under the radar for at least five years.\r\nIndicators of Compromise (IoCs)\r\nA full and comprehensive list of IoCs, C\u0026C servers, along with registry keys and values can be found on GitHub.\r\nSource: https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nhttps://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
	],
	"report_names": [
		"invisimole-equipped-spyware-undercover"
	],
	"threat_actors": [
		{
			"id": "11f52079-26d3-4e06-8665-6a0b3efdc41c",
			"created_at": "2022-10-25T16:07:23.736987Z",
			"updated_at": "2026-04-10T02:00:04.732021Z",
			"deleted_at": null,
			"main_name": "InvisiMole",
			"aliases": [
				"UAC-0035"
			],
			"source_name": "ETDA:InvisiMole",
			"tools": [
				"InvisiMole"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b",
			"created_at": "2023-01-06T13:46:39.095233Z",
			"updated_at": "2026-04-10T02:00:03.21157Z",
			"deleted_at": null,
			"main_name": "InvisiMole",
			"aliases": [],
			"source_name": "MISPGALAXY:InvisiMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775791550,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/641d18d3ceb7d016e9feab4cbd35f4ce2535f810.pdf",
		"text": "https://archive.orkl.eu/641d18d3ceb7d016e9feab4cbd35f4ce2535f810.txt",
		"img": "https://archive.orkl.eu/641d18d3ceb7d016e9feab4cbd35f4ce2535f810.jpg"
	}
}