A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign designed to facilitate long-term access to target networks.
“They repeatedly tried to extract the NTDS database from domain controllers — the primary repository for user password hashes and authentication data in a Windows network,” Bitdefender said in a report shared with The Hacker News. “Additionally, they attempted to dump LSASS memory from specific systems to recover active user credentials, potentially plain-text passwords, from machines where users were logged on.”
The activity, tracked by the Romanian cybersecurity company since mid-2024, has singled out judicial and government bodies in Georgia, as well as an energy distribution company in Moldova.
“Regarding the timeline, while we have been tracking the campaign since mid-2024, our analysis of the artifacts indicates that activity began earlier,” Martin Zugec, technical solutions director at Bitdefender, told the publication. “The earliest confirmed date we have for the use of the MucorAgent malware is November 2023, though it is highly probable that the group was active before that time.”
Curly COMrades are assessed to be operating with goals that are aligned with Russia’s geopolitical strategy. It gets its name from the heavy reliance on the curl utility for command-and-control (C2) and data transfer, and the hijacking of the component object model (COM) objects.
The end goal of the attacks is to enable long-term access to carry out reconnaissance and credential theft, and leverage that information to burrow deeper into the network, collect data using custom tools, and exfiltrate to attacker-controlled infrastructure.
“The overall behavior indicates a methodical approach in which the attackers combined standard attack techniques with tailored implementations to blend into legitimate system activity,” the company pointed out. “Their operations were characterized by repeated trial-and-error, use of redundant methods, and incremental setup steps – all aimed at maintaining a resilient and low-noise foothold across multiple systems.”
A notable aspect of the attacks is the use of legitimate tools like Resocks, SSH, and Stunnel to create multiple conduits into internal networks and remotely execute commands using the stolen credentials. Another proxy tool deployed besides Resocks is SOCKS5. The exact initial access vector employed by the threat actor is currently not known.
Persistent access to the infected endpoints is accomplished by means of a bespoke backdoor called MucorAgent, which hijacks class identifiers (CLSIDs) – globally unique identifiers that identify a COM class object – to target Native Image Generator (Ngen), an ahead-of-time compilation service that’s part of the .NET Framework.
“Ngen, a default Windows .NET Framework component that pre-compiles assemblies, provides a mechanism for persistence via a disabled scheduled task,” Bitdefender noted. “This task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals (such as during system idle times or new application deployments), making it a great mechanism for restoring access covertly.”
Abusing the CLSID linked to Ngen underscores the adversary’s technical prowess, while granting them the ability to execute malicious commands under the highly privileged SYSTEM account. It’s suspected that there likely exists a more reliable mechanism for executing the specific task given the overall unpredictability associated with Ngen.
A modular .NET implant, MucorAgent is launched via a three-stage process and is capable of executing an encrypted PowerShell script and uploading the output to a designated server. Bitdefender said it did not recover any other PowerShell payloads.
“The design of the MucorAgent suggests that it was likely intended to function as a backdoor capable of executing payloads on a periodic basis,” the company explained. “Each encrypted payload is deleted after being loaded into memory, and no additional mechanism for regularly delivering new payloads was identified.”
Also weaponized by Curly COMrades are legitimate-but-compromised websites for use as relays during C2 communications and data exfiltration in a bid to fly under the radar by blending malicious traffic with normal network activity. Some of the other tools observed in the attacks are listed below –
- CurlCat, which is used to facilitate bidirectional data transfer between standard input and output streams (STDIN and STDOUT) and C2 server over HTTPS by routing the traffic through a compromised site
- RuRat, a legitimate Remote Monitoring and Management (RMM) program for persistent access
- Mimikatz, which is used to extract credentials from memory
- Various built-in commands like netstat, tasklist, systeminfo, ipconfig, and ping to conduct discovery
- Powershell scripts that use curl to exfiltrate stolen data (e.g., credentials, domain information, and internal application data)
“The campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments,” Bitdefender said.
“The attackers relied heavily on publicly available tools, open-source projects, and LOLBins, showing a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.”
