ESET malware researcher Zuzana Hromcov.. presented an overview of the multi-stage attack chain reconstructed after investigating a campaign that started in September 2019 and continues to be active. InvisiMole continues to rely on the two backdoors analyzed in 2018 (RC2CL and RC2FM) in 2018 but has new additions, a simpler TCP downloader and a stealthier DNS downloader. The threat actor also encrypted some of the payloads in the chain using the Data Protection API (DPAPI) in Windows.
Source: https://www.bleepingcomputer.com/news/security/invisimole-malware-delivered-by-gamaredon-hacker-group/