Bitdefender Labs has identified a sophisticated advanced persistent threat (APT) group dubbed “Curly COMrades,” active since mid-2024, targeting critical infrastructure in geopolitically sensitive regions.
This Russian-aligned actor has focused on judicial and government entities in Georgia, alongside an energy distribution firm in Moldova, employing stealthy tactics to secure long-term network access and exfiltrate sensitive data.
The group’s operations emphasize credential theft, utilizing tools like proxy relays and a novel backdoor named MucorAgent to maintain persistence while evading detection.
By hijacking Component Object Model (COM) objects and leveraging Native Image Generator (NGEN) tasks, they ensure covert re-entry during system idle periods or application deployments.
Their approach blends legitimate tools with custom malware, routing command-and-control (C2) traffic through compromised websites to mask activities within benign network flows.
Geopolitical Espionage Campaign
The campaign’s technical sophistication is evident in the deployment of proxy tools such as Resocks, SSH combined with Stunnel, and custom SOCKS5 servers, often obfuscated with tools like Garble to hinder reverse engineering.
Attackers establish multiple entry points using stolen credentials, executing remote commands via Impacket-like utilities for lateral movement and data collection.
Credential harvesting involves repeated attempts to extract the NTDS database from domain controllers through Volume Shadow Copy Service manipulations and LSASS memory dumps using variants of Mimikatz, Procdump, and custom loaders adapted from open-source projects like TrickDump.
Exfiltration is manual and low-noise, staging data in public directories before archiving with RAR and uploading via curl.exe to compromised relays, often disguised as image files with AES encryption and PNG wrappers.
Innovative Persistence
A standout element is MucorAgent, a three-stage .NET backdoor that patches Antimalware Scan Interface (AMSI) to execute encrypted PowerShell scripts undetected, exfiltrating outputs masquerading as PNGs.
Persistence is achieved by hijacking CLSIDs linked to disabled NGEN tasks, which the system sporadically activates, providing unpredictable yet reliable execution under SYSTEM privileges.
This technique, combined with redundant proxies and legitimate remote management tools like Remote Utilities, underscores the group’s adaptability and focus on resilience against takedowns.
According to the report, The naming “Curly COMrades” reflects both technical hallmarks extensive use of curl.exe for C2 and COM hijacking and a deliberate effort to demystify cyber threats, countering industry trends of glamorous monikers.
While overlaps with known actors exist, such as RAR usage or PowerShell automation, Bitdefender attributes this to a distinct entity supporting Russian geopolitical interests.
Organizations are urged to deploy extended detection and response (XDR) solutions for anomaly detection, monitor LOLBins, and consider managed detection services to bridge operational gaps.
This campaign highlights the evolving threat landscape, where blended tactics exploit trust in legitimate infrastructure for sustained espionage.
Indicators of Compromise (IOCs)
| Category | Examples |
|---|---|
| Proxy Servers | 75.127.13.136, 96.30.124.103 |
| File Paths | c:programdatadrm.exe, c:programdatarar.bat |
| Scheduled Tasks | MicrosoftWindowsUpdateOrchestratorCheck_AC |
| Windows Services | MsEdgeSvc, OracleJavaSvc |
AWS Security Services:10-Point Executive Checklist -Download for Free