#364
InvisiMole
APTInvisiMole is a cyber espionage group, active since at least October 2013, that targets high-profile organizations primarily in Eastern Europe, Russia, and Ukraine, focusing on military and diplomatic entities for long-term surveillance operations. Assessed with high confidence to be linked to Russian state-sponsored activity, the group distinguishes itself through the use of sophisticated custom malware with extensive spying capabilities, multi-stage malware payloads, and living-off-the-land techniques to achieve stealth and persistence. InvisiMole often cooperates with the Gamaredon group, leveraging Gamaredon's initial network infiltration to deploy its more advanced toolset. The group has been tracked by CERT-UA as UAC-0035.
RUInformation theft and espionage4 victimsFirst seen: 2013-10-13Last seen: 2026-06-12
Target Countries
Armenia
Belarus
Estonia
Greece
Russian Federation
Ukraine
United States
South AfricaTarget Sectors
ConstructionPublic AdministrationPublishing ServicesTelecommunicationsSpace & DefenseNational Security&International AffairsPeriodical PublishersNational SecurityEnergy & Utilities ManufacturingInformation ServicesFinanceEducational ServicesHealthCare & Social AssistanceRetailCryptoCurrency & NFT
Related CVEs
CVE-2019-16098CVE-2018-20250CVE-2018-19320CVE-2017-0147
ATT&CK IDs
T1547 - Boot or Logon Autostart ExecutionT1574 - Hijack Execution FlowT1221T1204T1555T1547T1001T1059.001T1218 - Signed Binary Proxy ExecutionT1543T1574T1583 - Acquire InfrastructureT1021 - Remote ServicesT1608 - Stage CapabilitiesT1036 - MasqueradingT1584 - Compromise InfrastructureT1560T1082 - System Information DiscoveryT1573 - Encrypted ChannelT1059 - Command and Scripting Interpreter