Curly COMrades: The Russian-Linked Cyber Threat Targeting Eastern Europe

Listen to this Post

Featured Image

Unveiling a Sophisticated Cyber Menace

Since mid-2024, cybersecurity researchers at Bitdefender Labs have identified a highly advanced cyber threat group, operating in alignment with Russian interests, that has been systematically targeting critical infrastructure and government institutions across Eastern Europe. Dubbed “Curly COMrades,” this group has focused its attacks on judicial and governmental entities in Georgia, as well as energy distribution networks in Moldova. The actors exhibit a high level of technical skill, with long-term network persistence and sophisticated methods for stealing sensitive data, particularly authentication credentials, from compromised systems. Their campaigns emphasize stealth, resilience, and strategic exfiltration, marking a significant escalation in regional cyber threats.

Persistent and Strategic Cyber Intrusions

Curly COMrades have shown a unique ability to maintain ongoing access to targeted networks. Their operations frequently attempt to extract NTDS databases from domain controllers and dump LSASS memory, aiming to capture high-value credentials. This approach allows them to move laterally within networks undetected and secure long-term control, demonstrating a carefully orchestrated strategy rather than opportunistic attacks.

Innovation with MucorAgent Backdoor

The group’s most notable innovation is a newly discovered backdoor named MucorAgent, which targets the Windows Native Image Generator (NGEN) using an unprecedented persistence technique. By hijacking COM objects through CLSID manipulation, MucorAgent exploits a scheduled task identifier that appears dormant but executes unpredictably, particularly during system idle periods or application deployments. This makes restoring access covertly much easier. The malware operates in three stages, using AES-encrypted PowerShell scripts, and disguises its output as legitimate PNG image files before sending it out via curl.exe, a method that further conceals malicious activity.

Exploiting Legitimate Infrastructure

Curly COMrades cleverly leverages compromised legitimate websites as traffic relays, making detection extremely challenging. By blending malicious communications with normal network traffic, they avoid triggering standard security measures. They also deploy a range of proxy tools, including Resocks, SSH, and Stunnel, creating multiple, resilient entry points. Persistent access is maintained through various Windows services and scheduled tasks, deliberately designed to mimic legitimate system processes like Microsoft\Windows\UpdateOrchestrator\Check_AC, increasing stealth.

Industry Naming Conventions Challenged

Bitdefender researchers named the group “Curly COMrades” to break away from the trend of assigning dramatic or exotic names to cyber threat actors. This emphasizes that their operations are purely malicious, focusing on disruption and strategic advantage rather than media flair. The group’s use of curl.exe and COM object hijacking, along with clear geopolitical alignment, informed this naming decision. Experts believe the attacks currently observed are only a small portion of a much larger, compromised network infrastructure under the group’s control.

What Undercode Say:

The emergence of Curly COMrades underscores the evolution of cyber threats targeting state and critical infrastructure sectors. Their methodical approach demonstrates that modern cyber espionage is no longer just about ransomware or data theft—it’s about strategic persistence, invisibility, and leveraging existing trusted systems. By hijacking COM objects and exploiting scheduled tasks that appear inactive, MucorAgent introduces a novel technique that is difficult for conventional endpoint detection systems to identify.

The use of legitimate websites as relay points complicates network security protocols further, blending attacks seamlessly into normal traffic patterns. This tactic reduces the likelihood of detection while enabling a broader, multi-stage cyber operation. The inclusion of encrypted PowerShell scripts hidden in PNG files highlights the growing sophistication in data exfiltration methods, reflecting an industry-wide trend where attackers increasingly hide malicious operations within seemingly benign formats.

Curly COMrades’ focus on energy infrastructure and governmental bodies in Eastern Europe is indicative of geo-strategic objectives, with cyber attacks functioning as tools of influence and disruption. The attackers’ persistence capabilities suggest they plan long-term intelligence collection, potentially laying groundwork for operational sabotage or influence campaigns. Their ability to mimic legitimate Windows services and tasks means standard heuristics often fail to flag suspicious activity, pointing to a need for next-generation detection solutions.

Furthermore, their strategic choice to exploit both technical vulnerabilities and social trust mechanisms—like well-known websites—illustrates a combined cyber-physical strategy that can have ripple effects across industries reliant on digital infrastructure. Analysts should consider this a wake-up call for organizations in high-risk sectors to adopt layered defense strategies: combining endpoint monitoring, behavior analysis, and advanced threat intelligence to counter these emerging tactics.

Curly COMrades exemplify a broader trend in cyber warfare where threat actors are highly disciplined, targeted, and adaptive. Their operations are a study in patience and precision, demonstrating that effective cyber threats no longer rely solely on brute-force attacks but rather on deep system knowledge, stealth, and strategic patience. Companies and governments must focus on pre-emptive defense, resilience planning, and continuous monitoring of unusual system behavior to mitigate such threats effectively.

🔍 Fact Checker Results:

✅ Curly COMrades are linked to Russian interests and have targeted Georgia and Moldova.

✅ MucorAgent exploits Windows NGEN via COM object hijacking.

✅ Attacks use legitimate websites and encrypted PowerShell scripts for stealthy exfiltration.

📊 Prediction

As geopolitical tensions remain high, we can expect Curly COMrades and similar threat groups to expand their operations across Eastern Europe, potentially targeting critical infrastructure like power grids, transportation networks, and government databases. Future attacks are likely to become more stealthy and sophisticated, employing multi-stage malware and leveraging compromised trusted systems to evade detection. Organizations will need to adopt AI-driven threat detection, anomaly monitoring, and proactive intelligence sharing to prevent prolonged network intrusions and safeguard sensitive national infrastructure.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon