By rssfeeds-admin 
The group, dubbed “Curly COMrades,” has launched focused attacks against judicial and government bodies in Georgia and energy distribution companies in Moldova.
The threat actors demonstrate advanced persistence capabilities, repeatedly attempting to extract NTDS databases from domain controllers and dump LSASS memory
Their primary objective centers on maintaining long-term network access while systematically harvesting sensitive data for exfiltration.
Novel Backdoor Exploits Windows Framework
The group’s most significant innovation involves a previously unknown backdoor called “MucorAgent,” which employs an unprecedented persistence technique targeting Windows’ Native Image Generator (NGEN).
The malware hijacks Component Object Model (COM) objects through CLSID manipulation, explicitly targeting the identifier {de434264-8fe9-4c0b-a83b-89ebeebff78e} associated with NGEN’s critical scheduled task.
“This task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals, such as during system idle times or new application deployments, making it a great mechanism for restoring access covertly,” researchers noted.
The three-stage malware executes AES-encrypted PowerShell scripts and disguises output as legitimate PNG image files before exfiltration via curl.exe.
Infrastructure Leverages Compromised Legitimate Sites
Curly COMrades employs a sophisticated traffic relay system using compromised legitimate websites to obscure their command-and-control infrastructure.
This approach significantly complicates detection by blending malicious communications with regular network traffic, allowing them to bypass security defenses that trust known domains.
The group extensively utilizes proxy tools, including Resocks, SSH, and Stunnel, to establish multiple network entry points.
Analysis revealed the attackers maintained persistent access through various Windows services and scheduled tasks designed to mimic legitimate system processes, such as “MicrosoftWindowsUpdateOrchestratorCheck_AC”.
Bitdefender researchers deliberately chose the derogatory name “Curly COMrades” to challenge industry conventions of assigning sophisticated monikers to threat actors.
“They are not ‘fancy bears’ or ‘wizard spiders’; they are simply malicious actors engaged in disruptive and harmful behavior,” the research team stated.
The naming decision reflects both technical indicators, heavy use of curl.exe for communications and COM object hijacking, and the group’s alignment with Russian Federation geopolitical objectives.
Security experts believe the observed activity represents only a fraction of a much larger compromised web infrastructure network under the group’s control.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Cyber Collective “Curly COMrades” Escalates Global Attacks on High-Value Targets appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.