Ethical Hacking News
A new APT (Advanced Persistent Threat) actor has been discovered, dubbed "Curly COMrades" for its reliance on NGEN COM hijacking in targeting entities in Georgia and Moldova. The group's sophisticated tactics include the use of legitimate tools for malicious purposes and a bespoke backdoor to establish long-term access to carry out reconnaissance, credential theft, and data exfiltration.
The Curly COMrades APT group has been targeting entities in Georgia and Moldova as part of a sophisticated cyber espionage campaign. The attackers' primary goal is to establish long-term access for reconnaissance, credential theft, and exfiltrating sensitive data. The group utilizes various techniques, including the hijacking of COM objects using curl utility for command-and-control (C2) and data transfer. A bespoke backdoor called MucorAgent is used to execute malicious commands under the highly privileged SYSTEM account. The attackers employed legitimate-but-compromised websites as relays during C2 communications and data exfiltration to blend malicious traffic with normal network activity.
The cybersecurity landscape has seen numerous threats emerge over the years, each with its unique tactics, techniques, and procedures (TTPs). Recently, a new threat actor dubbed "Curly COMrades" gained attention from cybersecurity experts and researchers alike. According to recent reports, this APT (Advanced Persistent Threat) group has been targeting entities in Georgia and Moldova as part of a sophisticated cyber espionage campaign.
The attacks, tracked by the Romanian cybersecurity company Bitdefender since mid-2024, have singled out judicial and government bodies in Georgia, as well as an energy distribution company in Moldova. The attackers' primary goal is to establish long-term access to carry out reconnaissance, credential theft, and exfiltrate sensitive data to attacker-controlled infrastructure.
The Curly COMrades APT group utilizes various techniques to achieve its objectives, including the hijacking of COM objects using the curl utility for command-and-control (C2) and data transfer. The attackers' reliance on legitimate tools like Resocks, SSH, and Stunnel allows them to create multiple conduits into internal networks and remotely execute commands using stolen credentials.
One notable aspect of the attacks is the use of a bespoke backdoor called MucorAgent, which hijacks class identifiers (CLSIDs) linked to Native Image Generator (Ngen), an ahead-of-time compilation service part of the .NET Framework. This technique enables the attackers to execute malicious commands under the highly privileged SYSTEM account.
The design of the MucorAgent suggests that it was likely intended to function as a backdoor capable of executing payloads on a periodic basis. Each encrypted payload is deleted after being loaded into memory, and no additional mechanism for regularly delivering new payloads was identified.
Furthermore, the attackers employed legitimate-but-compromised websites as relays during C2 communications and data exfiltration to blend malicious traffic with normal network activity. Other tools observed in the attacks include CurlCat, RuRat, Mimikatz, and various built-in commands like netstat, tasklist, systeminfo, ipconfig, and ping for conduct discovery.
The campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments. The attackers' reliance on publicly available tools, open-source projects, and LOLBins demonstrates their preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.
According to Martin Zugec, technical solutions director at Bitdefender, the earliest confirmed date for the use of MucorAgent malware is November 2023, though it is highly probable that the group was active before that time. The attackers' activities were characterized by repeated trial-and-error, use of redundant methods, and incremental setup steps - all aimed at maintaining a resilient and low-noise foothold across multiple systems.
In conclusion, the Curly COMrades APT group represents a significant threat to organizations in Georgia and Moldova. Their sophisticated tactics, including NGEN COM hijacking and the use of legitimate tools for malicious purposes, make them a formidable opponent in the world of cyber espionage. As cybersecurity experts and researchers continue to monitor this threat actor's activities, it is essential to stay vigilant and implement robust security measures to prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-APT-Actor-Emerges-Curly-COMrades-Utilizes-NGEN-COM-Hijacking-for-Georgia-and-Moldova-Attacks-ehn.shtml
Published: Tue Aug 12 09:23:42 2025 by llama3.2 3B Q4_K_M
