{ "id": "7bd4b6e8-8652-4f9b-98e1-b8137215892f", "created_at": "2026-04-06T00:08:10.842571Z", "updated_at": "2026-04-10T03:25:50.555798Z", "deleted_at": null, "sha1_hash": "dbcda35fb69bab891a8ce1c5635a8fa13d9f76cb", "title": "InvisiMole (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 29678, "plain_text": "InvisiMole (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:28:14 UTC\r\nInvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other\r\nmodules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and\r\nturned the affected computer into a video camera, letting the attackers to spy the victim.\r\nThe malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a\r\nfew dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library\r\nand was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into\r\nthe Windows Explorer process instead of the legitimate library.\r\nMalware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both\r\narchitectures.\r\nThe smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by\r\nnumbers. The commands could perform simple changes on the system and spying features like capturing sounds,\r\ntaking screenshots or monitoring all fixed and removable drives.\r\nThe second module, RC2CL, offered features for collecting as much data about the infected computer as possible,\r\nrather than for making system changes. The module supported up to 84 commands such as file system operations,\r\nfile execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed\r\nsoftware etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a\r\nprocess or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its\r\nactivities by restoring the original file access time or safe-deleting its traces.\r\n[TLP:WHITE] win_invisimole_auto (20251219 | Detects win.invisimole.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole" ], "report_names": [ "win.invisimole" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434090, "ts_updated_at": 1775791550, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbcda35fb69bab891a8ce1c5635a8fa13d9f76cb.pdf", "text": "https://archive.orkl.eu/dbcda35fb69bab891a8ce1c5635a8fa13d9f76cb.txt", "img": "https://archive.orkl.eu/dbcda35fb69bab891a8ce1c5635a8fa13d9f76cb.jpg" } }