{ "id": "fcbdce63-4b72-410e-95a7-1fdf20b6a863", "created_at": "2026-04-06T00:17:57.808501Z", "updated_at": "2026-04-10T03:37:04.288855Z", "deleted_at": null, "sha1_hash": "9eaca02eda05e8da117331d5bfabacc2e5a96465", "title": "Digging up InvisiMole’s hidden arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 398628, "plain_text": "Digging up InvisiMole’s hidden arsenal\r\nBy Zuzana HromcováAnton Cherepanov\r\nArchived: 2026-04-05 17:12:12 UTC\r\nIn our tracking of the InvisiMole group, which we discovered, named, and first reported on in 2018, we have\r\nfound a new campaign targeting high-profile organizations in Eastern Europe. Investigating the attacks, in close\r\ncooperation with the affected organizations, we uncovered its updated toolset and previously unknown details\r\nabout InvisiMole’s tactics, techniques and procedures (TTPs).\r\nIn this blogpost, we summarize the findings published in full in our white paper, InvisiMole: The hidden part of\r\nthe story.\r\nThe InvisiMole group is a threat actor operating at least since 2013. We previously documented its two backdoors,\r\nRC2CL and RC2FM, notable for their extensive spying capabilities, but we didn’t know how these backdoors\r\nwere delivered, spread or installed on the system.\r\nIn this recent campaign, the InvisiMole group has resurfaced with an updated toolset, targeting a small number of\r\nhigh-profile organizations in the military sector and diplomatic missions, both in Eastern Europe. According to our\r\ntelemetry, the attack attempts were ongoing from late 2019 to the time of writing this report.\r\nThanks to investigating the attacks in cooperation with the affected organizations, we were able to expose the\r\ninner workings of the updated InvisiMole toolset.\r\nWe discovered InvisiMole’s arsenal is only unleashed after another threat group, Gamaredon, has already\r\ninfiltrated the network of interest, and possibly gained administrative privileges. This allows the InvisiMole group\r\nto devise creative ways to operate under the radar.\r\nFor example, the attackers use long execution chains, crafted by combining malicious shellcode with legitimate\r\ntools and vulnerable executables. They use DNS tunneling for stealthier C\u0026C communications, and place\r\nexecution guardrails on the malicious components to hide the malware from security researchers.\r\nDelivery mechanism\r\nDuring our investigation, we discovered that InvisiMole is delivered to the compromised systems by a .NET\r\ndownloader detected by ESET products as MSIL/Pterodo, the work of the Gamaredon group. Gamaredon is a\r\nthreat actor, operating at least since 2013, characterized by rapid development and making little effort to stay\r\nunder the radar. We recently documented the newest Gamaredon components, distributed through spearphishing\r\nemails and used to move laterally as far as possible within the target’s network, while fingerprinting the machines.\r\nOur research now shows Gamaredon is used to pave the way for a far stealthier payload – according to our\r\ntelemetry, a small number of Gamaredon’s targets are “upgraded” to the advanced InvisiMole malware, likely\r\nthose deemed particularly significant by the attackers.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 1 of 16\n\nFigure 1. Gamaredon’s .NET downloader can “upgrade” the victim’s machine to InvisiMole’s TCP downloader\r\nAs we detail in the white paper, despite the evidence of collaboration, we consider Gamaredon and InvisiMole to\r\nbe two distinct groups with different TTPs, rather than a single threat actor.\r\nSpreading and updating mechanisms\r\nWe document three ways that InvisiMole spreads within compromised networks:\r\nUsing the BlueKeep vulnerability in the RDP protocol (CVE-2019-0708)\r\nUsing the EternalBlue vulnerability in the SMB protocol (CVE-2017-0144)\r\nUsing trojanized documents and software installers, crafted using benign files stolen from the\r\ncompromised organization\r\nTo craft the trojanized files, InvisiMole first steals documents or software installers from the compromised\r\norganization, and then creates an SFX archive that bundles the file with the InvisiMole installer. The original file\r\nis then replaced with the weaponized version, while its name, icon and metadata are preserved. The attackers rely\r\non the users to share and execute these files.\r\nThis lateral movement technique is especially powerful if the trojanized file happens to be a software installer\r\nplaced on a central server – a common way to deploy software in larger organizations. That way, InvisiMole is\r\norganically distributed to many computers that use this server.\r\nRegardless of the spreading method, the first InvisiMole component deployed on the newly-compromised\r\nmachines is always InvisiMole’s TCP downloader – a simple addition to the toolset that downloads the next stage\r\nof the infiltration.\r\nThe second addition to the updated InvisiMole toolset, the DNS downloader, has the same functionality but is\r\ndesigned for long-term, covert access to the machine. It uses a stealthier method of C\u0026C communication, using a\r\ntechnique called DNS tunneling (see Figure 2).\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 2 of 16\n\nFigure 2. DNS tunneling\r\nWith DNS tunneling, the compromised client does not directly contact the C\u0026C server; it only communicates with\r\nthe benign DNS server(s) the victim machine would normally communicate with, where it sends requests to\r\nresolve a domain to its IP address. The DNS server then contacts the name server responsible for the domain in the\r\nrequest, which is an attacker-controlled name server, and relays its response back to the client.\r\nThe actual C\u0026C communication is embedded in the DNS requests and replies, unbeknownst to the benign DNS\r\nserver that operates as an intermediary in the communication.\r\nExecution chains\r\nThe most notable feature of the newest InvisiMole toolset is its long execution chains, used to deploy the final\r\npayloads – the updated RC2CM and RC2CL backdoors, and the new TCP and DNS downloaders.\r\nWe reconstructed four execution chains, used by the attackers in various situations – based on the OS version of\r\nthe victim’s computer, and on whether they were able to gain administrative privileges on the system:\r\nThe Control Panel misuse chain uses a rare technique known from Vault 7 leaks, used to achieve covert\r\nexecution in the context of the Control Panel.\r\nThe SMInit exploit chain exploits a vulnerability in the legitimate Total Video Player software. It is used in\r\ncases where the attackers haven’t managed to obtain administrative privileges on the system.\r\nThe Speedfan exploit chain exploits a local privilege escalation vulnerability in the speedfan.sys driver to\r\ninject its code to a trusted process from kernel mode.\r\nThe Wdigest exploit chain is InvisiMole’s flagship chain, the most elaborate, used on the newest versions\r\nof Windows, where the attackers have administrative privileges. It exploits a vulnerability in the Windows\r\nwdigest.dll library and then uses an improved ListPlanting technique to inject its code into a trusted\r\nprocess.\r\nThe vulnerable executables used in these chains are all introduced to the system by InvisiMole – the variation of\r\nthis technique with a vulnerable driver has been previously referred to as Bring Your Own Vulnerable Driver by\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 3 of 16\n\nfellow researchers. For the other cases, we have named the technique Bring Your Own Vulnerable Software.\r\nWe document these tactics in detail in the Execution chains section of our white paper.\r\nFigure 3. InvisiMole’s execution chains; padlocks indicate use of per-machine encryption\r\nNote the heavy use of legitimate tools and per-victim encryption, shown in the overview of these four chains in\r\nFigure 3. It is the tactic of InvisiMole’s operators to exclusively install legitimate tools, and reserve the malicious\r\npayloads for later stages.\r\nTo place execution guardrails and encrypt the payloads individually per-victim, InvisiMole uses a Windows\r\nfeature called Data Protection API (DPAPI), specifically:\r\nthe CryptProtectData API for data encryption\r\nthe CryptUnprotectData API for data decryption\r\nThis symmetric encryption scheme uses a key derived from the user’s logon secrets, so the decryption must be\r\nperformed on the same computer where the data were encrypted.\r\nFigure 4 shows a fragment of a typical InvisiMol loader that uses CryptUnprotectData for decryption and then\r\nchecks whether the decrypted blob starts with a characteristic InvisiMole four-byte magic value:\r\n64 DA 11 CE for 64-bit payloads\r\n86 DA 11 CE for 32-bit payloads\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 4 of 16\n\nFigure 4. Fragment of a characteristic InvisiMole loader\r\nThe DPAPI feature, intended for local storage of credentials such as Wi-Fi passwords or login passwords in web\r\nbrowsers, is abused by InvisiMole to protect its payload from security researchers. Even if they find InvisiMole’s\r\ncomponents in telemetry or on malware sharing platforms, they can’t decrypt them outside the victim’s computer.\r\nHowever, thanks to direct cooperation with the affected organizations, we were able to recover the payloads and\r\nreconstruct four of InvisiMole’s execution chains, which are described in detail in the white paper.\r\nConclusion\r\nWhen we first reported about InvisiMole in 2018, we highlighted its covert workings and complex range of\r\ncapabilities. However, a large part of the picture was missing.\r\nAfter discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of\r\nInvisiMole’s operations and piece together the hidden parts of the story. Analyzing the group’s updated toolset, we\r\nobserved continuous development and substantial improvements, with special focus on staying under the radar.\r\nOur investigation also revealed a previously unknown cooperation between InvisiMole and the Gamaredon group,\r\nwith Gamaredon’s malware used to infiltrate the target network and deliver the sophisticated InvisiMole malware\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 5 of 16\n\nto targets of special interest.\r\nHaving provided a detailed report on InvisiMole’s TTPs, we will continue to track the group’s malicious activities.\r\nESET detection names and other Indicators of Compromise for these campaigns can be found in the full white\r\npaper, InvisiMole: The hidden part of the story.\r\nAcknowledgements to fellow ESET malware researchers Matthieu Faou, Ladislav Janko and Michal Poslušný for\r\ntheir work on this investigation.\r\nMITRE ATT\u0026CK techniques\r\nNote: For better readability, we have separated the RC2FM and RC2CL backdoors into their respective ATT\u0026CK\r\nmapping tables, because of their rich capabilities. The first mapping pertains to InvisiMole’s supporting\r\ncomponents used for delivery, lateral movement, execution chains, and for downloading additional payloads.\r\nInvisiMole\r\nTactic ID Name Description\r\nExecution\r\nT1196 Control Panel Items\r\nInvisiMole’s loader is masked as a CPL file,\r\nmisusing control panel items for execution.\r\nT1106 Execution through API\r\nInvisiMole has used ShellExecuteW and\r\nCreateProcessW APIs to execute files.\r\nT1129\r\nExecution through\r\nModule Load\r\nInvisiMole implements a custom loader for its\r\ncomponents (InvisiMole blobs).\r\nT1203\r\nExploitation for Client\r\nExecution\r\nInvisiMole has delivered vulnerable Total\r\nVideo Player software and wdigest.dll library\r\nand exploited their stack overflow and input\r\nvalidation vulnerabilities, respectively, to gain\r\ncovert code execution.\r\nT1085 Rundll32\r\nInvisiMole has used rundll32.exe as part of its\r\nexecution chain.\r\nT1053 Scheduled Task\r\nInvisiMole has used Windows task scheduler as\r\npart of its execution chains.\r\nT1064 Scripting\r\nInvisiMole has used a JavaScript file named\r\nControl.js as part of its execution chain.\r\nT1035 Service Execution\r\nInvisiMole has registered a Windows service as\r\none of the ways to execute its malicious\r\npayload.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 6 of 16\n\nTactic ID Name Description\r\nT1204 User Execution\r\nInvisiMole has been delivered as trojanized\r\nversions of software and documents, using\r\ndeceiving names and icons and relying on user\r\nexecution.\r\nPersistence\r\nT1050 New Service\r\nInvisiMole has registered a Windows service\r\nnamed clr_optimization_v2.0.51527_X86 to\r\nachieve persistence.\r\nT1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nInvisiMole has placed a LNK file in Startup\r\nFolder to achieve persistence.\r\nT1053 Scheduled Task\r\nInvisiMole has scheduled tasks under names\r\nMSST and\r\n\\Microsoft\\Windows\\Autochk\\Scheduled to\r\nachieve persistence.\r\nT1023 Shortcut Modification\r\nInvisiMole has placed a LNK file in Startup\r\nFolder to achieve persistence.\r\nPrivilege\r\nEscalation\r\nT1088\r\nBypass User Account\r\nControl\r\nInvisiMole can bypass UAC to obtain elevated\r\nprivileges.\r\nT1068\r\nExploitation for\r\nPrivilege Escalation\r\nInvisiMole has exploited CVE-2007-5633\r\nvulnerability in speedfan.sys driver to obtain\r\nkernel mode privileges.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nInvisiMole decrypts strings using variations of\r\nXOR cipher. InvisiMole decrypts its\r\ncomponents using the CryptUnprotectData API\r\nand two-key triple DES.\r\nT1480 Execution Guardrails\r\nInvisiMole has used Data Protection API to\r\nencrypt its components on the victim’s\r\ncomputer, to evade detection and make sure the\r\npayload can only be decrypted (and then\r\nloaded) on one specific compromised\r\ncomputer.\r\nT1143 Hidden Window\r\nInvisiMole has executed legitimate tools in\r\nhidden windows and used them to execute\r\nmalicious InvisiMole components.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 7 of 16\n\nTactic ID Name Description\r\nT1066\r\nIndicator Removal from\r\nTools\r\nInvisiMole has undergone technical\r\nimprovements in attempt to evade detection.\r\nT1202\r\nIndirect Command\r\nExecution\r\nInvisiMole has used winapiexec tool for\r\nindirect execution of Windows API functions.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nInvisiMole has obfuscated strings and code to\r\nmake analysis more difficult, and encrypted its\r\ncomponents to thwart detection.\r\nT1055 Process Injection\r\nInvisiMole has injected its code into trusted\r\nprocesses using an improved ListPlanting\r\ntechnique and via APC queue.\r\nT1108 Redundant Access\r\nInvisiMole has deployed multiple backdoors on\r\na single compromised computer.\r\nT1085 Rundll32\r\nInvisiMole has used rundll32.exe as part of its\r\nexecution chain.\r\nT1064 Scripting\r\nInvisiMole’s loader uses a JavaScript script as a\r\npart of setting up persistence.\r\nT1063\r\nSecurity Software\r\nDiscovery\r\nInvisiMole’s DNS plugin avoids connecting to\r\nthe C\u0026C server if selected network sniffers are\r\ndetected running.\r\nT1099 Timestomp\r\nInvisiMole has modified timestamps of files\r\nthat it creates or modifies.\r\nT1036 Masquerading\r\nInvisiMole has attempted to disguise its\r\ndroppers as legitimate software or documents,\r\nand to conceal itself by registering under a\r\nseemingly legitimate service name.\r\nDiscovery\r\nT1046\r\nNetwork Service\r\nScanning\r\nInvisiMole has performed network scanning\r\nwithin the compromised network using its\r\nPortscan and BlueKeep components, in order to\r\nsearch for open ports and for hosts vulnerable\r\nto the BlueKeep vulnerability.\r\nT1518 Software Discovery\r\nInvisiMole’s DNS downloader attempts to\r\ndetect selected network sniffer tools, and\r\npauses its network traffic if any are detected\r\nrunning.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 8 of 16\n\nTactic ID Name Description\r\nT1082\r\nSystem Information\r\nDiscovery\r\nInvisiMole’s DNS downloader collects\r\ncomputer name and system volume serial\r\nnumber.\r\nT1124 System Time Discovery\r\nInvisiMole can collect the timestamp from the\r\nvictim’s machine.\r\nLateral\r\nMovement\r\nT1210\r\nExploitation of Remote\r\nServices\r\nInvisiMole has exploited EternalBlue and\r\nBlueKeep vulnerabilities for lateral movement.\r\nT1080 Taint Shared Content\r\nInvisiMole has replaced legitimate software or\r\ndocuments in the compromised network with\r\ntheir trojanized versions, in an attempt to\r\npropagate itself within the network.\r\nCommand\r\nand\r\nControl\r\nT1043 Commonly Used Port\r\nInvisiMole’s downloader uses port 443 for\r\nC\u0026C communication. InvisiMole’s DNS\r\nplugin uses port 53 for C\u0026C communication.\r\nT1090\r\nConnection\r\nProxy\r\nInvisiMole’s TCP\r\ndownloader is able to\r\nutilize user-configured\r\nproxy servers for C\u0026C\r\ncommunication.\r\nT1024\r\nCustom\r\nCryptographic\r\nProtocol\r\nInvisiMole’s TCP and\r\nDNS downloaders use a\r\ncustom cryptographic\r\nprotocol for encrypting\r\nnetwork\r\ncommunication.\r\nT1132 Data Encoding\r\nInvisiMole’s DNS\r\ndownloader uses a\r\nvariation of base32\r\nencoding to encode data\r\ninto the subdomain in\r\nits requests.\r\nT1008\r\nFallback\r\nChannels\r\nInvisiMole’s TCP and\r\nDNS downloaders are\r\nconfigured with several\r\nC\u0026C servers.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 9 of 16\n\nTactic ID Name Description\r\nT1105\r\nRemote File\r\nCopy\r\nInvisiMole’s TCP and\r\nDNS downloaders can\r\ndownload additional\r\nfiles to be executed on\r\nthe compromised\r\nsystem.\r\nT1071\r\nStandard\r\nApplication\r\nLayer Protocol\r\nInvisiMole’s DNS\r\ndownloader uses DNS\r\nprotocol for C\u0026C\r\ncommunication.\r\nT1095\r\nStandard Non-Application\r\nLayer Protocol\r\nInvisiMole’s TCP\r\ndownloader uses TCP\r\nprotocol for C\u0026C\r\ncommunication.\r\nT1065\r\nUncommonly\r\nUsed Port\r\nInvisiMole’s TCP\r\ndownloader uses port\r\n1922 for C\u0026C\r\ncommunication.\r\nRC2CL backdoor\r\nTactic ID Name Description\r\nExecution\r\nT1059 Command-Line Interface\r\nRC2CL backdoor can create a remote\r\nshell to execute commands.\r\nT1106 Execution through API\r\nRC2CL backdoor uses CreateProcess\r\nand CreateProcessAsUser APIs to\r\nexecute files.\r\nPrivilege\r\nEscalation\r\nT1134 Access Token Manipulation\r\nRC2CL backdoor can use\r\nCreateProcessAsUser API to start a new\r\nprocess under the context of another user\r\nor process.\r\nT1088\r\nBypass User Account\r\nControl\r\nRC2CL backdoor can disable and bypass\r\nUAC to obtain elevated privileges.\r\nDefense\r\nEvasion\r\nT1090 Connection Proxy RC2CL backdoor can be configured as a\r\nproxy relaying communication between\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 10 of 16\n\nTactic ID Name Description\r\nother compromised computers and C\u0026C\r\nserver.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nRC2CL backdoor decrypts strings using\r\nvariations of XOR cipher.\r\nT1089 Disabling Security Tools\r\nRC2CL backdoor is able to disable\r\nWindows firewall.\r\nT1107 File Deletion\r\nRC2CL backdoor can delete dropped\r\nartifacts, and various files on-demand\r\nfollowing a delete command.\r\nRC2CL backdoor can safely delete files\r\nto thwart forensic analysis.\r\nT1112 Modify Registry\r\nRC2CL backdoor hides its configuration\r\nwithin registry keys.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nRC2CL backdoor obfuscates/encrypts\r\nstrings and code to make analysis more\r\ndifficult.\r\nT1099 Timestomp\r\nRC2CL backdoor modifies timestamps\r\nof files that it creates/modifies.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nRC2CL backdoor is able to detect\r\nvirtualized environments.\r\nDiscovery\r\nT1087 Account Discovery\r\nRC2CL backdoor can list account\r\ninformation and session information.\r\nT1010\r\nApplication Window\r\nDiscovery\r\nRC2CL backdoor can list information\r\nabout active windows.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nRC2CL backdoor can list files, and\r\nspecifically recently opened files, and\r\nlist information about mapped/unmapped\r\ndrives.\r\nT1046 Network Service Scanning\r\nRC2CL backdoor is able to scan the\r\ncompromised network for hosts\r\nvulnerable to EternalBlue vulnerability.\r\nT1057 Process Discovery\r\nRC2CL backdoor can list running\r\nprocesses.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 11 of 16\n\nTactic ID Name Description\r\nT1012 Query Registry\r\nRC2CL backdoor can query registry to\r\nobtain information about installed\r\nsoftware, applications accessed by users,\r\napplications executed on user\r\nlogin/system start, recently opened files,\r\nT1063 Security Software Discovery\r\nRC2CL backdoor modifies its behavior\r\nif Bitdefender firewall is enabled, or if\r\nselected AV processes are detected\r\nrunning.\r\nT1518 Software Discovery\r\nRC2CL backdoor can list installed\r\nsoftware, recently accessed software by\r\nusers, software executed on each user\r\nlogin and/or each system start.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nRC2CL backdoor can list information\r\nabout loaded drivers, computer name,\r\nOS version, memory status, local time,\r\nsystem and process DEP policy.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nRC2CL backdoor can list IP table;\r\nconfigured proxy information;\r\ninformation about enabled wireless\r\nnetworks for geolocation of the victims.\r\nT1007 System Service Discovery\r\nRC2CL backdoor can list system service\r\ninformation.\r\nCollection\r\nT1123 Audio Capture\r\nRC2CL backdoor can record the sounds\r\nfrom microphones on a computer.\r\nRC2FM misuses a legitimate lame.dll for\r\nMP3 encoding of the recordings.\r\nT1005 Data from Local System\r\nRC2CL backdoor can collect data from\r\nthe system, and can monitor changes in\r\nspecified directories.\r\nT1074 Data Staged\r\nRC2CL backdoor can store collected\r\ndata in a central location for a later\r\nexfiltration.\r\nT1113 Screen Capture RC2CL backdoor can capture\r\nscreenshots of the victim’s screen.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 12 of 16\n\nTactic ID Name Description\r\nRC2CL backdoor can also capture\r\nscreenshots of separate windows.\r\nT1125 Video Capture\r\nRC2CL backdoor can access victim’s\r\nwebcam and capture photos/record\r\nvideos.\r\nCommand\r\nand Control\r\nT1008 Fallback Channels\r\nRC2CL backdoor is configured with\r\nseveral C\u0026C servers. Via a backdoor\r\ncommand, it is possible to extend the list\r\nand change which C\u0026C server is used.\r\nT1105 Remote File Copy\r\nInvisiMole can download additional files\r\nto be executed on the compromised\r\nsystem.\r\nT1065 Uncommonly Used Port\r\nRC2CL backdoor uses port 1922 for\r\nC\u0026C communication.\r\nExfiltration T1002 Data Compressed\r\nRC2CL backdoor can create zlib and\r\nSFX archives. It misuses a copy of the\r\nlegitimate WinRAR tool for compression\r\nand decompression.\r\nT1022 Data Encrypted\r\nRC2CL backdoor uses\r\nvariations of XOR cipher to\r\nencrypt data.\r\nT1041\r\nExfiltration\r\nOver Command\r\nand Control\r\nChannel\r\nRC2CL backdoor exfiltrates\r\ncollected information over\r\nits C\u0026C channel.\r\nRC2FM backdoor\r\nTactic ID Name Description\r\nExecution\r\nT1059 Command-Line Interface\r\nRC2FM backdoor can create a remote\r\nshell to execute commands.\r\nT1106 Execution through API\r\nRC2FM backdoor supports a command\r\nthat uses ShellExecute and CreateProcess\r\nAPIs to execute files.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 13 of 16\n\nTactic ID Name Description\r\nPrivilege\r\nEscalation\r\nT1088\r\nBypass User Account\r\nControl\r\nRC2FM backdoor can bypass UAC to\r\nobtain elevated privileges.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nRC2FM backdoor decrypts strings using\r\nvariations of XOR cipher.\r\nT1107 File Deletion\r\nRC2FM backdoor can delete dropped\r\nartifacts, and various files on-demand\r\nfollowing a delete command.\r\nT1143 Hidden Window\r\nRC2FM backdoor uses\r\nCREATE_NO_WINDOW creation flag\r\nto execute malware in a hidden window.\r\nT1112 Modify Registry\r\nRC2FM backdoor hides its configuration\r\nwithin registry keys.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nRC2FM backdoor obfuscates/encrypts\r\nstrings and code to make analysis more\r\ndifficult.\r\nT1055 Process Injection\r\nRC2FM backdoor can inject itself into\r\nctfmon.exe , dwm.exe , sihost.exe and\r\ntaskhost.exe processes.\r\nT1085 Rundll32\r\nRC2FM backdoor uses rundll32.exe to\r\nload a stub DLL into which it then injects\r\nitself.\r\nT1099 Timestamp\r\nRC2FM backdoor modifies timestamps\r\nof files that it creates/modifies.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nRC2FM backdoor is able to detect\r\nvirtualized environments.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nRC2FM backdoor collects information\r\nabout mapped drives. It can list files in a\r\nspecific folder.\r\nT1135 Network Share Discovery\r\nRC2FM backdoor can list connected\r\nnetwork shares.\r\nT1057 Process Discovery\r\nRC2FM backdoor can list running\r\nprocesses.\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 14 of 16\n\nTactic ID Name Description\r\nT1082\r\nSystem Information\r\nDiscovery\r\nRC2FM backdoor collects computer\r\nname and system volume serial number.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nRC2FM backdoor lists information about\r\nconfigured proxy servers.\r\nCollection\r\nT1123 Audio Capture\r\nRC2FM backdoor can record the sounds\r\nfrom microphones on a computer. It\r\nmisuses a legitimate lame.dll for MP3\r\nencoding of the recordings.\r\nT1025\r\nData from Removable\r\nMedia\r\nRC2FM backdoor can collect jpeg files\r\nfrom connected MTP devices.\r\nT1056 Input Capture RC2FM backdoor can collect keystrokes.\r\nT1113 Screen Capture\r\nRC2FM backdoor can capture\r\nscreenshots of the victim’s screen.\r\nCommand\r\nand Control\r\nT1043 Commonly Used Port\r\nRC2FM backdoor uses port 80 for C\u0026C\r\ncommunication.\r\nT1090 Connection Proxy\r\nRC2FM backdoor can use proxies\r\nconfigured on the local system, for\r\nvarious installed and portable browsers,\r\nif direct connection to the C\u0026C server\r\nfails.\r\nT1008 Fallback Channels\r\nRC2FM backdoor is configured with\r\nseveral C\u0026C servers. It is possible to\r\nupdate the C\u0026C server by a backdoor\r\ncommand.\r\nT1105 Remote File Copy\r\nInvisiMole can download additional files\r\nto be executed on the compromised\r\nsystem.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nRC2FM backdoor uses HTTP for C\u0026C\r\ncommunication.\r\nExfiltration T1022 Data Encrypted\r\nRC2FM backdoor uses variations of\r\nXOR cipher to encrypt data.\r\nT1041 Exfiltration\r\nOver\r\nRC2FM backdoor exfiltrates\r\ncollected information over\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 15 of 16\n\nTactic ID Name Description\r\nCommand and\r\nControl\r\nChannel\r\nits C\u0026C channel.\r\nSource: https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nhttps://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal" ], "report_names": [ "digging-up-invisimole-hidden-arsenal" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434677, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9eaca02eda05e8da117331d5bfabacc2e5a96465.pdf", "text": "https://archive.orkl.eu/9eaca02eda05e8da117331d5bfabacc2e5a96465.txt", "img": "https://archive.orkl.eu/9eaca02eda05e8da117331d5bfabacc2e5a96465.jpg" } }