Curly COMrades APT

A previously undocumented cyber threat group, dubbed Curly COMrades, has been observed targeting high-profile entities in Georgia and Moldova. This campaign appears to be geared toward long-term infiltration and intelligence gathering within targeted networks. The group's activities reveal a calculated, persistent, and stealth-oriented approach aligned with Russia's geopolitical interests.

High-Value Targets and Early Activity

Since mid-2024, the group has focused on judicial and government bodies in Georgia and an energy distribution company in Moldova. Analysis of attack artifacts shows the operation began earlier than first thought, the earliest confirmed use of their custom backdoor, MucorAgent, dates back to November 2023, though activity likely started before then.

Strategic Goals and Tactics

The endgame for Curly COMrades is prolonged network access, enabling reconnaissance, credential theft, and deeper lateral movement. They combine standard attack techniques with custom implementations to blend in with legitimate system operations. Their campaign is marked by:

• Repeated trial-and-error to refine access
• Redundant methods to ensure resilience
• Incremental setup steps to avoid detection

Credential Theft at the Core

The attackers repeatedly attempted to exfiltrate NTDS database files from domain controllers, targeting password hashes and authentication data. They also tried to dump LSASS memory from selected machines, aiming to recover active user credentials, including possible plaintext passwords.

Abuse of Legitimate Tools for Stealth

A hallmark of Curly COMrades' operations is the use of trusted software and services to mask malicious activity. Notable tools include:

Resocks, SOCKS5, SSH, and Stunnel – creating multiple access tunnels into internal networks and enabling remote command execution.

Legitimate-but-compromised websites – acting as covert relays for C2 traffic and data exfiltration, blending with normal network flows.

Additional weaponized utilities:

• CurlCat – bidirectional data transfer over HTTPS via compromised sites
• RuRat – a legitimate RMM tool used for persistent control
• Mimikatz – credential harvesting from memory
• Common Windows commands (netstat, tasklist, systeminfo, ipconfig, ping) for reconnaissance
• PowerShell scripts with curl for stealthy data exfiltration

MucorAgent: A Custom Persistence Weapon

At the heart of the campaign is MucorAgent, a bespoke .NET backdoor that hijacks COM Class Identifiers (CLSIDs) linked to the Native Image Generator (Ngen), a built-in .NET Framework component.

Ngen, although designed to pre-compile assemblies, can serve as a covert persistence mechanism. The attackers exploit a disabled scheduled task tied to Ngen, which occasionally triggers unpredictably, during idle times or application deployments, allowing them to restore SYSTEM-level access without triggering alarms.

The MucorAgent implant operates in three stages, executing encrypted PowerShell scripts and sending the results to attacker-controlled servers. Payloads are loaded into memory and deleted immediately afterward, leaving minimal forensic traces.

Methodical, Adaptive, and Stealth-First

Curly COMrades demonstrate a preference for stealth over novelty, relying on public tools, open-source utilities, and LOLBins rather than exploiting zero-day vulnerabilities. Their operations emphasize low-noise persistence and adaptability, using both common and customized tools to maintain long-term control without raising suspicion.