The Computer Emergency Response Team for Ukraine (CERT-UA) has issued a security alert warning of phishing attacks against government entities in Ukraine launched by InvisiMole (aka UAC-0035), a hacker group with ties to the Russia-linked advanced persistent threat (APT) group Gamaredon.

The malicious campaign involves phishing messages containing an attached archive named “501_25_103.zip.” When opened, it downloads and executes an HTML Application file (HTA), which, in turn, downloads and executes VBScript designed to deploy the LoadEdge backdoor. This tool is then used to download additional malicious programs, such as TunnelMole (DNS backdoor), and RC2FM and RC2C modules (both are backdoors acting as data collection and surveillance tools).

First spotted in 2018, InvisiMole is believed to have been active since at least 2013. In the past, the group was linked to attacks against high profile organizations in Eastern Europe, more specifically, in the military and diplomacy sectors. While InvisiMole appears to have ties with Gamaredon/Primitive Bear, security researchers believe that they are two distinct groups with different TTPs, rather than a single threat actor.

Cybersecurity Help’s statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!