Ethical Hacking News
Unraveling the Shadowy World of Curly COMades: A Cyber-Espionage Threat Group With a Customized Malware Arsenal. Recent reports from Bitdefender have shed light on this new threat group's activities, highlighting its use of sophisticated malware and customized tools to target government organizations and energy firms in Moldova.
Curly COMades is a newly identified cyber-espionage threat group using sophisticated and customized malware. The group's primary tool, MucorAgent, is a .NET backdoor capable of executing an AES-encrypted PowerShell script. Curly COMades has been targeting government organizations and energy firms in Moldova, as well as judicial bodies in Georgia. The threat actor uses curl.exe for data exfiltration and communication with its C2 server, earning it the name "Curly COMades". MucorAgent is part of a three-stage malware component with custom SOCKS5 servers and SSH + Stunnel for remote port forwarding. Curly COMades uses hijacking CLSIDs to target NGEN, offering persistence through disabled scheduled tasks. The group attempted to extract NTDS database from domain controllers, steal data, and dump LSASS memory to recover user credentials. MucorAgent was not able to completely evade detection by modern EDR/XDR sensors due to its alignment with the Russian Federation's geopolitical goals. Curly COMades uses legitimate remote monitoring software like Remote Utilities (RuRat) and RMM tools to maintain control over compromised systems.
Curly COMades, a newly identified cyber-espionage threat group, has been making waves in the cybersecurity community with its sophisticated and highly customized malware arsenal. According to recent reports from cybersecurity experts at Bitdefender, this group of malicious actors has been actively targeting government organizations and energy firms in Moldova, as well as judicial bodies in Georgia.
At the heart of Curly COMades' operations is a custom-made backdoor malware component dubbed MucorAgent. This complex piece of malware is engineered as a .NET stealthy tool capable of executing an AES-encrypted PowerShell script and uploading the resulting output to a designated server. The researchers have observed that the threat actor's use of curl.exe for data exfiltration and communication with its command-and-control (C2) server earns it the name "Curly COMades," a nod to the heavy use of this tool in their attack chain.
MucorAgent is part of a three-stage malware component, which includes a hijacking Component Object Model (COM) objects during the attack. The attackers have been using a custom SOCKS5 server and SSH + Stunnel for remote port forwarding, with some connections routed through a custom tool called CurlCat. This obfuscation technique uses a custom Base64 alphabet to relay traffic through compromised legitimate websites.
One of the most intriguing aspects of Curly COMades' persistence mechanism is its use of hijacking CLSIDs (Class IDs) to target NGEN (Native Image Generator). NGEN is a default Windows .NET Framework component that offers persistence through a disabled scheduled task. The researchers have noted, however, that even if the task appears inactive, the operating system enables and executes it at random intervals.
Bitdefender has observed that Curly COMades repeatedly tried to extract the NTDS database from domain controllers in an attempt to move around the network, steal, and exfiltrate data. They also attempted to dump LSASS memory from specific systems to recover active user credentials.
Despite its advanced capabilities, MucorAgent was not able to completely evade detection by modern EDR/XDR sensors. The researchers believe that this is due to the fact that the attackers' operations align with the geopolitical goals of the Russian Federation and may be part of a larger espionage campaign.
In addition to MucorAgent, Curly COMades has also been known to use legitimate Remote Utilities (RuRat) remote monitoring software to maintain interactive control over compromised systems. Furthermore, they have employed the Remote Monitoring and Management (RMM) tool, a widely used utility by IT professionals to monitor, manage, and maintain client IT assets.
The threat group's activities demonstrate the ongoing cat-and-mouse game between cybersecurity experts and sophisticated cyber-espionage actors. As with any new threat actor, it is essential for organizations to remain vigilant and proactive in protecting themselves against such malicious activity.
In light of this recent development, it has become clear that password management is a critical aspect of cybersecurity that cannot be overlooked. A recent report from Picus Blue highlights the growing concern over password cracking, noting a 2X increase in incidents compared to last year, with nearly half of environments experiencing password cracks.
The findings from Picus Blue underscore the importance of robust password management practices and highlight the need for organizations to prioritize this critical aspect of cybersecurity. By staying informed about emerging threats and implementing effective measures to protect themselves, organizations can reduce their risk of falling prey to sophisticated cyber-espionage attacks like those perpetrated by Curly COMades.
Related Information:
https://www.ethicalhackingnews.com/articles/Unraveling-the-Shadowy-World-of-Curly-COMrades-A-Cyber-Espionage-Threat-Group-With-a-Customized-Malware-Arsenal-ehn.shtml
https://www.bleepingcomputer.com/news/security/curly-comrades-cyberspies-hit-govt-orgs-with-custom-malware/
Published: Tue Aug 12 10:35:59 2025 by llama3.2 3B Q4_K_M
