Aug 12, 2025Ravie LakshmananCyber Espionage / Home windows Safety
A beforehand undocumented menace actor dubbed Curly COMrades has been noticed focusing on entities in Georgia and Moldova as a part of a cyber espionage marketing campaign designed to facilitate long-term entry to focus on networks.
“They repeatedly tried to extract the NTDS database from area controllers — the first repository for person password hashes and authentication knowledge in a Home windows community,” Bitdefender stated in a report shared with The Hacker Information. “Moreover, they tried to dump LSASS reminiscence from particular techniques to get well energetic person credentials, probably plain-text passwords, from machines the place customers have been logged on.”
The exercise, tracked by the Romanian cybersecurity firm since mid-2024, has singled out judicial and authorities our bodies in Georgia, in addition to an vitality distribution firm in Moldova.
“Relating to the timeline, whereas we now have been monitoring the marketing campaign since mid-2024, our evaluation of the artifacts signifies that exercise started earlier,” Martin Zugec, technical options director at Bitdefender, instructed the publication. “The earliest confirmed date we now have for using the MucorAgent malware is November 2023, although it’s extremely possible that the group was energetic earlier than that point.”
Curly COMrades are assessed to be working with objectives which might be aligned with Russia’s geopolitical technique. It will get its title from the heavy reliance on the curl utility for command-and-control (C2) and knowledge switch, and the hijacking of the part object mannequin (COM) objects.
The top aim of the assaults is to allow long-term entry to hold out reconnaissance and credential theft, and leverage that data to burrow deeper into the community, acquire knowledge utilizing customized instruments, and exfiltrate to attacker-controlled infrastructure.
“The general habits signifies a methodical strategy by which the attackers mixed normal assault methods with tailor-made implementations to mix into reputable system exercise,” the corporate identified. “Their operations have been characterised by repeated trial-and-error, use of redundant strategies, and incremental setup steps – all geared toward sustaining a resilient and low-noise foothold throughout a number of techniques.”
A notable side of the assaults is using reputable instruments like Resocks, SSH, and Stunnel to create a number of conduits into inside networks and remotely execute instructions utilizing the stolen credentials. One other proxy instrument deployed in addition to Resocks is SOCKS5. The precise preliminary entry vector employed by the menace actor is presently not identified.
Persistent entry to the contaminated endpoints is achieved by the use of a bespoke backdoor referred to as MucorAgent, which hijacks class identifiers (CLSIDs) – globally distinctive identifiers that determine a COM class object – to focus on Native Picture Generator (Ngen), an ahead-of-time compilation service that is a part of the .NET Framework.
“Ngen, a default Home windows .NET Framework part that pre-compiles assemblies, offers a mechanism for persistence by way of a disabled scheduled activity,” Bitdefender famous. “This activity seems inactive, but the working system often allows and executes it at unpredictable intervals (comparable to throughout system idle instances or new software deployments), making it an incredible mechanism for restoring entry covertly.”
Abusing the CLSID linked to Ngen underscores the adversary’s technical prowess, whereas granting them the power to execute malicious instructions below the extremely privileged SYSTEM account. It is suspected that there probably exists a extra dependable mechanism for executing the precise activity given the general unpredictability related to Ngen.
A modular .NET implant, MucorAgent is launched by way of a three-stage course of and is able to executing an encrypted PowerShell script and importing the output to a delegated server. Bitdefender stated it didn’t get well another PowerShell payloads.
“The design of the MucorAgent means that it was probably supposed to operate as a backdoor able to executing payloads on a periodic foundation,” the corporate defined. “Every encrypted payload is deleted after being loaded into reminiscence, and no extra mechanism for repeatedly delivering new payloads was recognized.”
Additionally weaponized by Curly COMrades are legitimate-but-compromised web sites to be used as relays throughout C2 communications and knowledge exfiltration in a bid to fly below the radar by mixing malicious site visitors with regular community exercise. A few of the different instruments noticed within the assaults are listed beneath –
CurlCat, which is used to facilitate bidirectional knowledge switch between normal enter and output streams (STDIN and STDOUT) and C2 server over HTTPS by routing the site visitors by means of a compromised website
RuRat, a reputable Distant Monitoring and Administration (RMM) program for persistent entry
Mimikatz, which is used to extract credentials from reminiscence
Numerous built-in instructions like netstat, tasklist, systeminfo, ipconfig, and ping to conduct discovery
Powershell scripts that use curl to exfiltrate stolen knowledge (e.g., credentials, area data, and inside software knowledge)
“The marketing campaign analyzed revealed a extremely persistent and adaptable menace actor using a variety of identified and customised methods to ascertain and preserve long-term entry inside focused environments,” Bitdefender stated.
“The attackers relied closely on publicly out there instruments, open-source initiatives, and LOLBins, displaying a choice for stealth, flexibility, and minimal detection fairly than exploiting novel vulnerabilities.”
