S0260: InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[1][2]
Analyst context for executives and security teams
InvisiMole is a Windows-focused modular spyware family with backdoor modules used for post-exploitation activity. Its ATT&CK relationships show why it matters operationally: the behavior spans stealth, persistence, discovery, collection, command-and-control disguise, and credential-relevant collection such as keylogging. For leaders, this is less about one malware name and more about whether Windows monitoring can prove coverage for long-running espionage-style activity that blends into normal services, scheduled tasks, processes, scripts, and network traffic.
Executive priority
Prioritize this as a resilience and assurance question for Windows estates that handle sensitive data or operate in regions or business contexts where targeted intrusion risk is material. The supplied ATT&CK data does not provide detection guidance, so executives should ask whether SOC and IR teams can validate telemetry for persistence, process injection, local/removable data access, command execution, registry/service discovery, and disguised or fallback C2. This also supports audit and compliance evidence: controls should demonstrate not only malware prevention, but visibility into post-compromise behavior and data collection paths.
Technical view
ATT&CK lists InvisiMole as Windows malware and relates it to techniques including protocol/service impersonation, fallback C2, local and removable-media collection, registry/service/process/window/user/network discovery, scheduled tasks, process injection variants, Windows command shell, JavaScript/JScript execution, keylogging, obfuscation, masquerading, and privilege escalation through exploitation. SOC teams should validate behavioral detections around these technique clusters rather than relying on static indicators alone. IR teams should be prepared to investigate persistence via scheduled tasks or masqueraded services, suspicious script or cmd execution, injected processes, evidence of local or removable-media file access, and network sessions that appear to imitate legitimate protocols or shift to alternate channels.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows scheduled task creation, modification, and execution records
- Windows service creation, service query, and service metadata changes
- Registry query and modification telemetry
- Endpoint file access telemetry for local files and removable media
Detection direction
- Build coverage around ATT&CK technique clusters used by this malware, since the official object provides no dedicated detection text.
- Correlate persistence indicators such as scheduled tasks and service changes with suspicious command shell, script execution, or unusual binary locations/names.
- Tune for masquerading carefully: compare task, service, file, and registry names against known-good baselines rather than treating familiar-looking names as benign.
- Validate EDR visibility for process injection behaviors on Windows, including PE injection, APC-related patterns, and other cross-process execution signals.
- Review network analytics for traffic that mimics legitimate protocols or services and for fallback channels; avoid depending only on blocklists or signatures.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, task, service, registry, script, file, and network logs are collected and retained for investigation.
- Reduce execution and persistence opportunities through controlled script execution, least privilege, and review of scheduled task and service creation rights.
- Strengthen endpoint prevention and response controls that can observe memory-based and injected execution, not only files on disk.
- Maintain vulnerability management and patch prioritization for Windows systems to reduce privilege escalation opportunities.
- Apply egress control and monitoring for unusual outbound communications, including traffic that appears to impersonate legitimate services or uses alternate channels.
Analyst notes and limits
The object’s official description identifies InvisiMole as modular spyware used by the InvisiMole Group since at least 2013, with RC2FM and RC2CL backdoor modules, and notes discovery on victims in Ukraine and Russia. It also states Gamaredon Group infrastructure was used to download and execute InvisiMole against a small number of victims. Those statements are useful for threat-intelligence context, but defensive planning should focus on the ATT&CK behavior relationships and local telemetry validation.
Official detection guidance is not provided. The object platform is Windows, while several related ATT&CK techniques list broader platforms; this take applies platform recommendations to Windows unless otherwise stated. No claim is made that any environment is exposed, that activity is currently occurring, or that specific detections will be effective without local validation.
InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | InvisiMole uses variations of a simple XOR encryption routine for C&C communications.CitationESET InvisiMole June 2018 |
| Enterprise | T1686 | Disable or Modify System Firewall | InvisiMole has a command to disable routing and the Firewall on the victim’s machine.CitationESET InvisiMole June 2018 |
| Enterprise | T1025 | Data from Removable Media | InvisiMole can collect jpeg files from connected MTP devices.CitationESET InvisiMole June 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | InvisiMole has used rundll32.exe for execution.CitationESET InvisiMole June 2020 |
| Enterprise | T1490 | Inhibit System Recovery | InvisiMole can can remove all system restore points.CitationESET InvisiMole June 2018 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | InvisiMole can inject its backdoor as a portable executable into a target process.CitationESET InvisiMole June 2020 |
| Enterprise | T1497.001 | System Checks Sub-technique | InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.CitationESET InvisiMole June 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | InvisiMole has used Windows services as a way to execute its malicious payload.CitationESET InvisiMole June 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1008 | Fallback Channels | InvisiMole has been configured with several servers available for alternate C2 communications.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | InvisiMole can use the |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | InvisiMole can place a lnk file in the Startup Folder to achieve persistence.CitationESET InvisiMole June 2020 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | InvisiMole can inject its code into a trusted process via the APC queue.CitationESET InvisiMole June 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | InvisiMole has used TCP to download additional modules.CitationESET InvisiMole June 2020 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | InvisiMole can use zlib to compress and decompress data.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.CitationESET InvisiMole June 2018 |
| Enterprise | T1113 | Screen Capture | InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1010 | Application Window Discovery | InvisiMole can enumerate windows and child windows on a compromised host.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | InvisiMole can capture keystrokes on a compromised host.CitationESET InvisiMole June 2020 |
| Enterprise | T1033 | System Owner/User Discovery | InvisiMole lists local users and session information.CitationESET InvisiMole June 2018 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1005 | Data from Local System | InvisiMole can collect data from the system, and can monitor changes in specified directories.CitationESET InvisiMole June 2018 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | InvisiMole can create hidden system directories.CitationESET InvisiMole June 2020 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.CitationESET InvisiMole June 2020 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.CitationESET InvisiMole June 2020 |
| Enterprise | T1112 | Modify Registry | InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1218.002 | Control Panel Sub-technique | InvisiMole can register itself for execution and persistence via the Control Panel.CitationESET InvisiMole June 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | InvisiMole can use a JavaScript file as part of its execution chain.CitationESET InvisiMole June 2020 |
| Enterprise | T1007 | System Service Discovery | InvisiMole can obtain running services on the victim.CitationESET InvisiMole June 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.CitationESET InvisiMole June 2020 |
| Enterprise | T1055.015 | ListPlanting Sub-technique | InvisiMole has used ListPlanting to inject code into a trusted process.CitationESET InvisiMole June 2020 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.CitationESET InvisiMole June 2018 |
| Enterprise | T1055 | Process Injection | InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.CitationESET InvisiMole June 2020 |
| Enterprise | T1082 | System Information Discovery | InvisiMole can gather information on the OS version, computer name, DEP policy, and memory size.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | InvisiMole can launch a remote shell to execute commands.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1680 | Local Storage Discovery | InvisiMole can gather information on the mapped drives and system volume serial number.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.CitationESET InvisiMole June 2020 |
| Enterprise | T1071.004 | DNS Sub-technique | InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.CitationESET InvisiMole June 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1123 | Audio Capture | InvisiMole can record sound using input audio devices.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1210 | Exploitation of Remote Services | InvisiMole can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively.CitationESET InvisiMole June 2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | InvisiMole has a command to list account information on the victim’s machine.CitationESET InvisiMole June 2018 |
| Enterprise | T1083 | File and Directory Discovery | InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.CitationESET InvisiMole June 2018 |
| Enterprise | T1518 | Software Discovery | InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.CitationESET InvisiMole June 2018 |
| Enterprise | T1070.006 | Timestomp Sub-technique | InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.CitationESET InvisiMole June 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | InvisiMole can upload files to the victim's machine for operations.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | InvisiMole can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1070.005 | Network Share Connection Removal Sub-technique | InvisiMole can disconnect previously connected remote drives.CitationESET InvisiMole June 2018 |
| Enterprise | T1119 | Automated Collection | InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | InvisiMole has executed legitimate tools in hidden windows.CitationESET InvisiMole June 2020 |
| Enterprise | T1080 | Taint Shared Content | InvisiMole can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network.CitationESET InvisiMole June 2020 |
| Enterprise | T1125 | Video Capture | InvisiMole can remotely activate the victim’s webcam to capture content.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.CitationESET InvisiMole June 2020 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.CitationESET InvisiMole June 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.CitationESET InvisiMole June 2018 |
| Enterprise | T1046 | Network Service Discovery | InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.CitationESET InvisiMole June 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | InvisiMole can deliver trojanized versions of software and documents, relying on user execution.CitationESET InvisiMole June 2020 |
| Enterprise | T1124 | System Time Discovery | InvisiMole gathers the local system time from the victim’s machine.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | InvisiMole has used scheduled tasks named |
| Enterprise | T1071.001 | Web Protocols Sub-technique | InvisiMole uses HTTP for C2 communications.CitationESET InvisiMole June 2018 |
| Enterprise | T1135 | Network Share Discovery | InvisiMole can gather network share information.CitationESET InvisiMole June 2018 |
| Enterprise | T1090.002 | External Proxy Sub-technique | InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1057 | Process Discovery | InvisiMole can obtain a list of running processes.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.CitationESET InvisiMole June 2020 |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | InvisiMole has undergone regular technical improvements in an attempt to evade detection.CitationESET InvisiMole June 2020 |
| Enterprise | T1203 | Exploitation for Client Execution | InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.CitationESET InvisiMole June 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.CitationESET InvisiMole June 2018CitationESET InvisiMole June 2020 |
| Enterprise | T1106 | Native API | InvisiMole can use winapiexec tool for indirect execution of |
| Enterprise | T1012 | Query Registry | InvisiMole can enumerate Registry values, keys, and data.CitationESET InvisiMole June 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 3f68e1202752… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET InvisiMole June 2018
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
Open source URL -
[2]
ESET InvisiMole June 2020
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
Open source URL -
[3]
InvisiMole
(Citation: ESET InvisiMole June 2018)
-
[4]
mitre-attack S0260Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.