A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and a key Moldova energy distributor as part of a cyber espionage campaign designed to enable long-term access to target networks. Bitdefender described the activity as a methodical operation aimed at maintaining a foothold for reconnaissance and credential theft over extended periods.
In its assessment, Bitdefender notes that the actors repeatedly attempted to extract the NTDS database from domain controllers – the primary repository for user password hashes and authentication data – and to dump memory from LSASS to recover active credentials, potentially including plain-text passwords, on machines where users were logged on. The investigation into the campaign extends back to mid-2024, with the earliest confirmed date for the use of the MucorAgent malware recorded as November 2023, though researchers believe activity likely preceded that time.
Curly COMrades are believed to be pursuing long-term access to enable ongoing reconnaissance and credential theft, enabling the group to move deeper into networks, collect data with custom tools, and exfiltrate to attacker-controlled infrastructure. The attackers combine standard techniques with tailored implementations to blend into legitimate system activity, showing a methodical approach characterized by trial-and-error, redundant methods, and incremental setup steps to maintain a resilient and low-noise foothold across multiple systems, according to Bitdefender.
A notable aspect of the campaign is the use of legitimate tools and compromised infrastructure to hide malicious activity. The actors reportedly rely on Resocks to create backdoor access, alongside SSH, Stunnel, and SOCKS5 proxies to establish multiple conduits into internal networks and remotely execute commands. The exact initial access vector remains unknown.
Persistent access is achieved through a bespoke backdoor named MucorAgent, which hijacks CLSIDs – globally unique identifiers tied to COM objects – to target Ngen, the .NET Framework’s ahead-of-time compilation service. Bitdefender explains that Ngen can be abused to create a persistence mechanism via a disabled scheduled task that may be re-enabled during idle times or new deployments, enabling covert restoration of access.
Researchers highlight that abusing the CLSID linked to Ngen gives attackers the ability to execute malicious commands under the SYSTEM account, suggesting there may be alternate, more reliable execution methods beyond the unpredictable nature of Ngen in some environments. The MucorAgent implant is modular and launched through a three-stage process, capable of executing an encrypted PowerShell script and uploading the resulting output to a designated server. No additional payload delivery mechanism for new payloads was identified during the investigation.
Bitdefender notes that Curly COMrades also leverage legitimate-but-compromised websites as relays for C2 communications and data exfiltration, blending malicious traffic with normal network activity to evade detection. In addition to the above tools, researchers observed use of CurlCat for bidirectional data transfer over HTTPS, Mimikatz for credential extraction from memory, and various built-in commands such as netstat, tasklist, systeminfo, ipconfig, and ping to conduct discovery. Powershell scripts are used to exfiltrate stolen data such as credentials and domain information.
As the campaign unfolds, Bitdefender emphasizes the attackers’ reliance on publicly available tools, open-source projects, and LOLBins to maximize stealth, flexibility, and low detection risk rather than exploiting novel vulnerabilities. The company also notes the use of legitimate websites as C2 relays to blend malicious activity with normal traffic.