#382

InvisiMole

APT

InvisiMole is a cyber espionage group that first emerged in at least 2013, with early versions of its malware having a PE timestamp of October 13, 2013. The group is assessed with moderate confidence to be of Russian origin, given its strong connections to the Russia-linked Gamaredon threat group and its targeting of entities in both Ukraine and Russia. Its primary motivation is cyber espionage, focusing on long-term surveillance operations against high-profile targets. What distinguishes InvisiMole is its use of highly potent, custom spyware designed for extensive data exfiltration and covert operation, often deployed in very limited, targeted campaigns with a low infection ratio. The group frequently cooperates with Gamaredon, where InvisiMole's more advanced tools are reserved for particularly significant targets already compromised by Gamaredon. InvisiMole's malware components often feature per-victim encryption to hinder detection and analysis.

RUInformation theft and espionage4 victimsFirst seen: 2013-10-13Last seen: 2026-06-15

Target Countries

Russian FederationUkraine

Target Sectors

Public AdministrationNational Security&International AffairsEnergy & Utilities ManufacturingInformation ServicesFinanceEducational ServicesHealthCare & Social AssistanceTelecommunicationsSpace & DefenseConstructionRetailCryptoCurrency & NFTPeriodical Publishers

Related CVEs

CVE-2019-16098CVE-2018-20250CVE-2018-19320CVE-2017-0147

ATT&CK IDs

T1547 - Boot or Logon Autostart ExecutionT1574 - Hijack Execution FlowT1221T1204T1555T1547T1001T1059.001T1218 - Signed Binary Proxy ExecutionT1543T1574T1583 - Acquire InfrastructureT1021 - Remote ServicesT1608 - Stage CapabilitiesT1036 - MasqueradingT1584 - Compromise InfrastructureT1560T1082 - System Information DiscoveryT1573 - Encrypted ChannelT1059 - Command and Scripting Interpreter