The group, dubbed “Curly COMrades,” has launched focused attacks against judicial and government bodies in Georgia and energy distribution companies in Moldova.
The threat actors demonstrate advanced persistence capabilities, repeatedly attempting to extract NTDS databases from domain controllers and dump LSASS memory to steal authentication credentials.
Their primary objective centers on maintaining long-term network access while systematically harvesting sensitive data for exfiltration.
The group’s most significant innovation involves a previously unknown backdoor called “MucorAgent,” which employs an unprecedented persistence technique targeting Windows’ Native Image Generator (NGEN).
The malware hijacks Component Object Model (COM) objects through CLSID manipulation, explicitly targeting the identifier {de434264-8fe9-4c0b-a83b-89ebeebff78e} associated with NGEN’s critical scheduled task.
“This task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals, such as during system idle times or new application deployments, making it a great mechanism for restoring access covertly,” researchers noted.
The three-stage malware executes AES-encrypted PowerShell scripts and disguises output as legitimate PNG image files before exfiltration via curl.exe.
Curly COMrades employs a sophisticated traffic relay system using compromised legitimate websites to obscure their command-and-control infrastructure.
This approach significantly complicates detection by blending malicious communications with regular network traffic, allowing them to bypass security defenses that trust known domains.
The group extensively utilizes proxy tools, including Resocks, SSH, and Stunnel, to establish multiple network entry points.
Analysis revealed the attackers maintained persistent access through various Windows services and scheduled tasks designed to mimic legitimate system processes, such as “MicrosoftWindowsUpdateOrchestratorCheck_AC”.
Bitdefender researchers deliberately chose the derogatory name “Curly COMrades” to challenge industry conventions of assigning sophisticated monikers to threat actors.
“They are not ‘fancy bears’ or ‘wizard spiders’; they are simply malicious actors engaged in disruptive and harmful behavior,” the research team stated.
The naming decision reflects both technical indicators, heavy use of curl.exe for communications and COM object hijacking, and the group’s alignment with Russian Federation geopolitical objectives.
Security experts believe the observed activity represents only a fraction of a much larger compromised web infrastructure network under the group’s control.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Cyber Collective “Curly COMrades” Escalates Global Attacks on High-Value Targets appeared first on Cyber Security News.
Spider-Man and Civil War star Kirsten Dunst is reportedly joining A Minecraft Movie 2 to…
The Secretlab Spring Sale has officially commenced and with it are a couple of different…
Since it debuted in 2016, if you wanted to watch the mega-blockbuster show Stranger Things,…
If you are planning a PC build and have been hoping to get ahold of…
CISA has added a high-severity vulnerability affecting the Zimbra Collaboration Suite (ZCS) to its Known…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert urging organizations…
This website uses cookies.