{ "id": "c00292f6-e8ed-43fd-9578-4faefa2f88d2", "created_at": "2026-04-06T00:16:09.114927Z", "updated_at": "2026-04-10T03:37:04.376845Z", "deleted_at": null, "sha1_hash": "c5669bdd03f21f186243a00cf75b0478dd81cc0c", "title": "Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43047, "plain_text": "Ukraine warns of InvisiMole attacks tied to state-sponsored\r\nRussian hackers\r\nBy Written by\r\nArchived: 2026-04-05 17:58:31 UTC\r\nUkrainian security officials have warned of ongoing attacks by InvisiMole, a hacking group with ties to the\r\nRussian advanced persistent threat (APT) group Gamaredon. \r\nUkraine Crisis\r\nLast week, the Computer Emergency Response Team for Ukraine (CERT-UA) said that the department has been\r\nadvised of new phishing campaigns taking place against Ukrainian organizations that spread the LoadEdge\r\nbackdoor. \r\nAccording to CERT-UA, phishing emails are being sent that have an attached archive, 501_25_103.zip, together\r\nwith a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript\r\ndesigned to deploy LoadEdge. \r\nOnce the backdoor has formed a link to an InvisiMole command-and-control (C2) server, other malware payloads\r\nare deployed and executed including TunnelMole, malware that abuses the DNS protocol to form a tunnel for\r\nmalicious software distribution, and both RC2FM and RC2CL, which are data collection and surveillance\r\nbackdoor modules. Persistence is maintained through the Windows registry. \r\nInvisiMole was first discovered by ESET researchers in 2018. The threat actors have been active since at least\r\n2013 and have been connected to attacks against \"high-profile\" organizations in Eastern Europe that are involved\r\nin military activities and diplomatic missions. \r\nIn 2020, the cybersecurity researchers forged a collaborative link between InvisiMole and Gamaredon/Primitive\r\nBear, the latter of which appears to be involved in initially infiltrating networks before InvisiMole begins its own\r\noperation. \r\n\"We discovered InvisiMole's arsenal is only unleashed after another threat group, Gamaredon, has already\r\ninfiltrated the network of interest, and possibly gained administrative privileges,\" ESET said at the time. \"This\r\nallows the InvisiMole group to devise creative ways to operate under the radar.\"\r\nPalo Alto Networks has also been tracking Gamaredon, and in February, said the APT had attempted to\r\ncompromise an unnamed \"Western government entity\" in Ukraine through fake job listings. \r\nhttps://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/\r\nPage 1 of 2\n\nCERT-UA has also begun tracking the activities of Vermin/UAC-0020, a group that has been attempting to break\r\ninto the systems of Ukrainian state authorities. Vermin has been using the topic of supplies in spear phishing\r\nemails as a lure, and if opened by a victim, these emails contain a letter and password-protected archive containing\r\nthe Spectr malware. \r\nIn 2018, ESET and Palo Alto Networks published research on Vermin, a group that has been active for at least the\r\npast four years, although may date back as far as 2015. \r\nVermin was targeting Ukrainian government institutions from the outset, with remote access Trojans (RATs)\r\nQuasar, Sobaken, and Vermin being the malicious tools of choice. \r\nWhile the variants of Quasar and Sobaken were compiled using freely-available open source code, Vermin is\r\ncalled a \"custom-made\" RAT able to perform activities including data exfiltration, keylogging, audio recording,\r\nand credential theft. \r\nIn related news this month, Aqua Security's Team Nautilus said that public cloud repositories are being used to\r\nhost resources on both sides of the war, with Ukraine's call for an \"IT Army\" of volunteers becoming a catalyst for\r\npublic tools to launch denial-of-service (DoS) attacks against online Russian services. \r\nIt is not just RATs and surveillance-based malware that Ukrainian organizations are having to contend with. ESET\r\nhas detected three forms of wiper malware – designed to destroy computer files and resources, rather than to steal\r\ninformation or spy on victims – in as many weeks. \r\nThe latest wiper, dubbed CaddyWiper, has been found \"on a few dozen systems in a limited number of\r\norganizations,\" according to ESET.\r\nPrevious and related coverage\r\nSecurity researchers warn of phishing attempts against officials helping refugees\r\nUkraine security agencies warn of Ghostwriter threat activity, phishing campaigns\r\nCaddyWiper: More destructive wiper malware strikes Ukraine\r\nHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0\r\nSource: https://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/\r\nhttps://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/" ], "report_names": [ "ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "31da1b1f-743b-40ef-bd17-1e07c5500392", "created_at": "2024-06-19T02:00:04.382822Z", "updated_at": "2026-04-10T02:00:03.655982Z", "deleted_at": null, "main_name": "UAC-0020", "aliases": [ "SickSync", "Vermin" ], "source_name": "MISPGALAXY:UAC-0020", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434569, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5669bdd03f21f186243a00cf75b0478dd81cc0c.pdf", "text": "https://archive.orkl.eu/c5669bdd03f21f186243a00cf75b0478dd81cc0c.txt", "img": "https://archive.orkl.eu/c5669bdd03f21f186243a00cf75b0478dd81cc0c.jpg" } }