Researchers have observed new cyberespionage campaigns against key organizations from EU-hopefuls Moldova and Georgia using a previously unknown backdoor program and novel persistence techniques. Absent of evidence to link this activity to known APT groups, the researchers have attributed the campaigns to a new group dubbed Curly COMrades, which appears to serve the interests of the Russian Federation.
“Their technical indicators heavily feature the use of curl.exe for C2 communications and data exfiltration, and a significant aspect of their tooling involves the hijacking of Component Object Model (COM) objects,” researchers from antivirus firm Bitdefender explained in their report. “By choosing a name like ‘Curly COMrades,’ we aim to de-glamorize cybercrime, stripping away any perception of sophistication or mystique. They are not ‘fancy bears’ or ‘wizard spiders’; they are simply malicious actors engaged in disruptive and harmful behavior.”
The group’s activity, which can be traced back to late 2024, has so far targeted judicial and government bodies in Georgia and an energy distribution company in Moldova. Both countries are former Soviet Union members that officially have “candidate” status to join the European Union, which is contrary to Russia’s interests.
Heavy use of proxy relays and backup tunnels
Once they compromise a network, Curly COMrades attackers set up multiple reverse proxy tunnels to relays they control. These are used to execute commands on systems using stolen credentials with the goal of collecting and exfiltrating internal data.
The group was seen repeatedly trying to extract the NTDS database from domain controllers or dump the LSASS process memory on key systems. Both locations are used to store Window credentials. The attackers also harvest browser data, which can also include credentials and session cookies.
“Another important tactic observed in this campaign is strategic use of compromised, legitimate websites as traffic relays, a tactic that significantly complicates detection and attribution,” the researchers observed. “This approach allows them to blend malicious traffic with normal network activity, making it harder for security tools to flag their communications.”
Commonly observed proxy tools include Resocks, an open-source proxy tunnel, as well as a SOCKS5 server based on an open-source project from GitHub. The attackers also relied on SSH combined with Stunnel for port forwarding and TCP traffic encryption.
Bitdefender’s researchers also observed the use of a custom tool that behaves similar to the cat utility that facilitates bidirectional data transfer. This tool has been dubbed CurlCat and was found deployed on systems as GoogleUpdate.exe.
Custom backdoor and RMM tools
In attacks targeting one organization, researchers observed the deployment of a custom backdoor, which they dubbed MucorAgent, on multiple systems. This malware tool is written in .NET and is designed to execute AES-encrypted PowerShell scripts and then upload the output to a server controlled by the attackers.
“Although no PowerShell payloads were recovered, the design of the malware suggests that its execution was intended to occur periodically — most likely for the purpose of data collection and exfiltration,” the researchers wrote.
More importantly, MucorAgent executes PowerShell code through the System.Management.Automation namespace without invoking the powershell.exe process, making detection less likely. It also uses an unusual persistence mechanism that involves hijacking an obscure scheduled task.
The malware inserts itself in the CLSID and COM handler {de434264-8fe9-4c0b-a83b-89ebeebff78e}, which corresponds to a Windows scheduled task named “.NET Framework NGEN v4.0.30319 Critical.” This task is typically disabled by default, but the system periodically enables it because it corresponds to a Microsoft tool called NGEN (Native Image Generator) that optimizes .NET applications when they’re being installed or updated.
“By hijacking this CLSID, threat actors gain a unique persistence mechanism, allowing them to restore their MucorAgent backdoor during one of these periodic NGEN optimization scans,” the researchers found. “A critical advantage of this method is stealth and execution under the highly privileged SYSTEM account. This particular technique, leveraging CLSID hijacking in conjunction with NGEN, is unprecedented in our observations.”
In addition to MucorAgent, the attackers also deployed a legitimate remote monitoring and management (RMM) tool called Remote Utilities. The abuse of RMM tools has become widespread among both APT and cybercrime groups.
“The campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments,” the researchers said. “The attackers relied heavily on publicly available tools, open-source projects, and LOLBins, showing a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.”
A list of indicators of compromise and TTP is included in Bitdefender’s report and can be used to create detection rules for threat hunting. While these attacks were seen in Moldova and Georgia, Russian groups are known to target all countries that support Ukraine.
No Responses