{ "id": "a9f34121-d9e1-416e-b813-fff37dcba79f", "created_at": "2026-04-06T00:15:35.556945Z", "updated_at": "2026-04-10T03:37:04.332947Z", "deleted_at": null, "sha1_hash": "c22e5d53a665056c04686083fe6423eca2d59a8a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46463, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:20:10 UTC\n APT group: InvisiMole\nNames\nInvisiMole (ESET)\nUAC-0035 (CERT-UA)\nCountry Russia\nMotivation Information theft and espionage\nFirst seen 2013\nDescription\n(ESET) This is the modus operandi of the two malicious components of InvisiMole.\nThey turn the affected computer into a video camera, letting the attackers see and\nhear what’s going on in the victim’s office or wherever their device may be.\nUninvited, InvisiMole’s operators access the system, closely monitoring the victim’s\nactivities and stealing the victim’s secrets.\nOur telemetry indicates that the malicious actors behind this malware have been\nactive at least since 2013, yet the cyber-espionage tool was never analyzed nor\ndetected until discovered by ESET products on compromised computers in Ukraine\nand Russia.\nThe campaign is highly targeted – no wonder the malware has a low infection ratio,\nwith only a few dozen computers being affected.\nESET also found that InvisiMole targeted computers already compromised by\nGamaredon Group.\nObserved\nSectors: Defense, Government.\nCountries: Russia, Ukraine and Eastern Europe.\nTools used InvisiMole.\nOperations performed\nLate 2019\nESET researchers reveal the modus operandi of the elusive\nInvisiMole group, including newly discovered ties with the\nGamaredon group\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=21785caa-d383-454d-a0cb-4242e57d0f8e\nPage 1 of 2\n\nMar 2022\nUkraine warns of InvisiMole attacks tied to state-sponsored Russian\nhackers\nInformation\nLast change to this card: 08 April 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=21785caa-d383-454d-a0cb-4242e57d0f8e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=21785caa-d383-454d-a0cb-4242e57d0f8e\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=21785caa-d383-454d-a0cb-4242e57d0f8e" ], "report_names": [ "showcard.cgi?u=21785caa-d383-454d-a0cb-4242e57d0f8e" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434535, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c22e5d53a665056c04686083fe6423eca2d59a8a.pdf", "text": "https://archive.orkl.eu/c22e5d53a665056c04686083fe6423eca2d59a8a.txt", "img": "https://archive.orkl.eu/c22e5d53a665056c04686083fe6423eca2d59a8a.jpg" } }