The group, dubbed “Curly COMrades,” has launched focused attacks against judicial and government bodies in Georgia and energy distribution companies in Moldova.
The threat actors demonstrate advanced persistence capabilities, repeatedly attempting to extract NTDS databases from domain controllers and dump LSASS memory to steal authentication credentials.
Their primary objective centers on maintaining long-term network access while systematically harvesting sensitive data for exfiltration.
The group’s most significant innovation involves a previously unknown backdoor called “MucorAgent,” which employs an unprecedented persistence technique targeting Windows’ Native Image Generator (NGEN).
The malware hijacks Component Object Model (COM) objects through CLSID manipulation, explicitly targeting the identifier {de434264-8fe9-4c0b-a83b-89ebeebff78e} associated with NGEN’s critical scheduled task.
“This task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals, such as during system idle times or new application deployments, making it a great mechanism for restoring access covertly,” researchers noted.
The three-stage malware executes AES-encrypted PowerShell scripts and disguises output as legitimate PNG image files before exfiltration via curl.exe.
Curly COMrades employs a sophisticated traffic relay system using compromised legitimate websites to obscure their command-and-control infrastructure.
This approach significantly complicates detection by blending malicious communications with regular network traffic, allowing them to bypass security defenses that trust known domains.
The group extensively utilizes proxy tools, including Resocks, SSH, and Stunnel, to establish multiple network entry points.
Analysis revealed the attackers maintained persistent access through various Windows services and scheduled tasks designed to mimic legitimate system processes, such as “MicrosoftWindowsUpdateOrchestratorCheck_AC”.
Bitdefender researchers deliberately chose the derogatory name “Curly COMrades” to challenge industry conventions of assigning sophisticated monikers to threat actors.
“They are not ‘fancy bears’ or ‘wizard spiders’; they are simply malicious actors engaged in disruptive and harmful behavior,” the research team stated.
The naming decision reflects both technical indicators, heavy use of curl.exe for communications and COM object hijacking, and the group’s alignment with Russian Federation geopolitical objectives.
Security experts believe the observed activity represents only a fraction of a much larger compromised web infrastructure network under the group’s control.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Cyber Collective “Curly COMrades” Escalates Global Attacks on High-Value Targets appeared first on Cyber Security News.
Publisher Sega and developer Creative Assembly have revealed what appears to be a teaser trailer…
US President Donald Trump used a lone gunman’s storming of the lobby outside the White House Correspondents’ Dinner on…
AMHERST — Performances by local and student bands, an art walk at campus galleries and…
GREENFIELD — Aided by grant funding, the nonprofit law organization providing free services to low-income…
Children’s Advocacy Center luminaria event NORTHAMPTON — The Children’s Advocacy Center (CAC) of Hampshire County…
CHESTERFIELD — For the fourth time in 16 months, Chesterfield has a new Council on…
This website uses cookies.