{"id":4374,"date":"2025-08-13T20:33:13","date_gmt":"2025-08-13T20:33:13","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4374"},"modified":"2025-08-13T20:33:13","modified_gmt":"2025-08-13T20:33:13","slug":"russian-apt-group-curly-comrades-employs-novel-backdoor-and-persistence-tricks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4374","title":{"rendered":"Russian APT group Curly COMrades employs novel backdoor and persistence tricks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Researchers have observed new cyberespionage campaigns against key organizations from EU-hopefuls Moldova and Georgia using a previously unknown backdoor program and novel persistence techniques. Absent of evidence to link this activity to known APT groups, the researchers have attributed the campaigns to a new group dubbed Curly COMrades, which appears to serve the interests of the Russian Federation.<\/p>\n

\u201cTheir technical indicators heavily feature the use of curl.exe for C2 communications and data exfiltration, and a significant aspect of their tooling involves the hijacking of Component Object Model (COM) objects,\u201d researchers from antivirus firm Bitdefender explained in their report<\/a>. \u201cBy choosing a name like \u2018Curly COMrades,\u2019 we aim to de-glamorize cybercrime, stripping away any perception of sophistication or mystique. They are not \u2018fancy bears\u2019 or \u2018wizard spiders\u2019; they are simply malicious actors engaged in disruptive and harmful behavior.\u201d<\/p>\n

The group\u2019s activity, which can be traced back to late 2024, has so far targeted judicial and government bodies in Georgia and an energy distribution company in Moldova. Both countries are former Soviet Union members that officially have \u201ccandidate\u201d status to join the European Union, which is contrary to Russia\u2019s interests.<\/p>\n

Heavy use of proxy relays and backup tunnels<\/h2>\n

Once they compromise a network, Curly COMrades attackers set up multiple reverse proxy tunnels to relays they control. These are used to execute commands on systems using stolen credentials with the goal of collecting and exfiltrating internal data.<\/p>\n

The group was seen repeatedly trying to extract the NTDS database from domain controllers or dump the LSASS process memory on key systems. Both locations are used to store Window credentials. The attackers also harvest browser data, which can also include credentials and session cookies.<\/p>\n

\u201cAnother important tactic observed in this campaign is strategic use of compromised, legitimate websites as traffic relays, a tactic that significantly complicates detection and attribution,\u201d the researchers observed. \u201cThis approach allows them to blend malicious traffic with normal network activity, making it harder for security tools to flag their communications.\u201d<\/p>\n

Commonly observed proxy tools include Resocks, an open-source proxy tunnel, as well as a SOCKS5 server based on an open-source project from GitHub. The attackers also relied on SSH combined with Stunnel for port forwarding and TCP traffic encryption.<\/p>\n

Bitdefender\u2019s researchers also observed the use of a custom tool that behaves similar to the cat utility that facilitates bidirectional data transfer. This tool has been dubbed CurlCat and was found deployed on systems as GoogleUpdate.exe.<\/p>\n

Custom backdoor and RMM tools<\/h2>\n

In attacks targeting one organization, researchers observed the deployment of a custom backdoor, which they dubbed MucorAgent, on multiple systems. This malware tool is written in .NET and is designed to execute AES-encrypted PowerShell scripts and then upload the output to a server controlled by the attackers.<\/p>\n

\u201cAlthough no PowerShell payloads were recovered, the design of the malware suggests that its execution was intended to occur periodically \u2014 most likely for the purpose of data collection and exfiltration,\u201d the researchers wrote.<\/p>\n

More importantly, MucorAgent executes PowerShell code through the System.Management.Automation namespace without invoking the powershell.exe process, making detection less likely. It also uses an unusual persistence mechanism that involves hijacking an obscure scheduled task.<\/p>\n

The malware inserts itself in the CLSID and COM handler {de434264-8fe9-4c0b-a83b-89ebeebff78e}, which corresponds to a Windows scheduled task named \u201c.NET Framework NGEN v4.0.30319 Critical.\u201d This task is typically disabled by default, but the system periodically enables it because it corresponds to a Microsoft tool called NGEN (Native Image Generator) that optimizes .NET applications when they\u2019re being installed or updated.<\/p>\n

\u201cBy hijacking this CLSID, threat actors gain a unique persistence mechanism, allowing them to restore their MucorAgent backdoor during one of these periodic NGEN optimization scans,\u201d the researchers found. \u201cA critical advantage of this method is stealth and execution under the highly privileged SYSTEM account. This particular technique, leveraging CLSID hijacking in conjunction with NGEN, is unprecedented in our observations.\u201d<\/p>\n

In addition to MucorAgent, the attackers also deployed a legitimate remote monitoring and management (RMM) tool called Remote Utilities. The abuse of RMM tools has become widespread<\/a> among both APT and cybercrime groups.<\/p>\n

\u201cThe campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments,\u201d the researchers said. \u201cThe attackers relied heavily on publicly available tools, open-source projects, and LOLBins, showing a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.\u201d<\/p>\n

A list of indicators of compromise and TTP is included in Bitdefender\u2019s report and can be used to create detection rules for threat hunting. While these attacks were seen in Moldova and Georgia, Russian groups are known to target all countries that support Ukraine.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Researchers have observed new cyberespionage campaigns against key organizations from EU-hopefuls Moldova and Georgia using a previously unknown backdoor program and novel persistence techniques. Absent of evidence to link this activity to known APT groups, the researchers have attributed the campaigns to a new group dubbed Curly COMrades, which appears to serve the interests of […]<\/p>\n","protected":false},"author":0,"featured_media":4375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4374","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4374"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4374"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4374\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4375"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}