Skip to main content

Curly COMrades: New Russian-Aligned Threat Actor Targeting Geopolitical Hotbeds

N2K NetworksSeptember 27, 202525 min144 views
22 connections·40 entities in this video→
Capture as you watch

Save any video to veridive in one click.

The free veridive Chrome extension pulls the transcript from any YouTube video or podcast you're watching β€” ready to ask, cite, and connect.

Add to Chrome

Unveiling Curly COMrades

  • πŸ’‘ A newly identified Russian-aligned threat actor, dubbed "Curly COMrades," has been uncovered by Bitdefender Labs.
  • 🎯 This group is responsible for espionage campaigns targeting judicial, government, and energy organizations in Eastern Europe, specifically in regions geopolitically situated between Russia and Europe.
  • πŸ—“οΈ The group's activity was initially tracked from mid-2024, with evidence suggesting operations dating back to November 2023.

Tactics, Techniques, and Procedures (TTPs)

  • πŸ”‘ Curly COMrades focuses on achieving long-term network access, credential theft, and maintaining stealthy persistence.
  • βš™οΈ A novel backdoor, MucorAgent, has been documented, which hijacks Windows CLSIDs and uses NGEN for covert execution.
  • 🌐 The threat actor leverages a large network of legitimate but compromised websites as traffic relays, blending malicious activity with normal web traffic to evade detection.
  • πŸ”Œ They employ various methods for maintaining access, including SSH tunnels and custom SOCKS5 servers, demonstrating a persistent effort to regain access if discovered.

MucorAgent and Persistence Techniques

  • 🧠 The MucorAgent is a .NET-based tool that executes PowerShell and utilizes a unique activation method.
  • πŸ› οΈ It hijacks COM objects by modifying their target to execute the malicious agent instead of legitimate .NET framework components.
  • ⏳ Activation relies on a disabled scheduled task that is triggered by the system's idle state during .NET pre-compilation (NGEN), making its execution unpredictable and difficult to detect.
  • πŸ•΅οΈ This technique, combined with hijacking hidden COM classes, makes the agent's execution and persistence highly sophisticated and novel.

Operational Sophistication and Resilience

  • πŸ“ˆ The group's use of compromised legitimate websites for command and control (C2) and traffic relay indicates a highly organized and advanced operation.
  • πŸ”„ Curly COMrades demonstrates resilience by using multiple methods to re-establish access, including common binaries like SSH and tools like S tunnel to obfuscate traffic.
  • 🎭 They are increasingly adopting a
Ask, don't scrub

Discover the spoken web.

veridive answers questions with exact timestamps and citations β€” across every podcast, video, and article you've saved.

Open Chat
Knowledge graph40 entities Β· 22 connections

How they connect

An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.

Hover Β· drag to explore
40 entities
Chapters10 moments

Key Moments

Transcript92 segments

Full Transcript

Follow the thread

Find every place these ideas show up.

veridive maps the same people, claims, and topics across thousands of sources β€” so you can trace an idea from one conversation to the next.

Explore more
Topics15 themes

What’s Discussed

Curly COMradesBitdefender LabsThreat ActorEspionageCybersecurityEastern EuropeMucorAgentPersistence TechniquesCOM HijackingNGENScheduled TasksSSH TunnelingCompromised WebsitesAPT GroupMalware Analysis
Smart Objects40 Β· 22 links
ProductsΒ· 6
EventsΒ· 4
PeopleΒ· 3
MediasΒ· 4
LocationsΒ· 4
CompaniesΒ· 11
ConceptsΒ· 8
veridive

Hours of content, seconds to the answer.

Save what you listen to. Ask it anything. Watch the threads between sources surface on their own.

Get started free