Curly Comrades: Unpacking a Sophisticated APT Group Targeting Geopolitical Hotbeds

The "Curly Comrades" Threat Actor

• 🎯 The "Curly Comrades" APT group, identified by Bitdefender, targets regions geopolitically situated between Russia and Europe.
• 💡 The group's name is derived from their frequent use of curl.exe and their technique of hijacking COM objects for persistence.
• 💰 Their primary motivation appears to be long-term data exploitation, indicating sophisticated espionage activities.

Technical Sophistication and Persistence

• 🧩 A core tool used is the Mukor agent, written in .NET, which executes PowerShell and employs a novel activation method.
• ⚙️ Mukor agent hijacks .NET framework's COM handlers and utilizes a scheduled task triggered by system idle time for execution, making it highly stealthy.
• 🔍 This technique relies on the .NET JIT compilation process and a disabled-by-default scheduled task, making its activation unpredictable.
• 🌐 The group leverages a large network of legitimate, compromised websites as traffic, suggesting a broader infrastructure than initially observed.

Operational Tactics and Resilience

• 🔑 Initial access methods remain unknown, a common challenge in forensic investigations.
• 🔄 The group demonstrates a strong focus on proxying access and maintaining multiple backdoors, using tools like SSH and custom SOCKS servers.
• 📈 Resilience is a key trait, with the group employing various methods to regain access if detected and removed.
• 💻 There's a trend towards using legitimate, common binaries (living off the land) and abusing Remote Monitoring and Management (RMM) tools, rather than solely relying on custom malware.

Recommendations for Defense

• 🛡️ Organizations need EDR/XDR solutions to detect suspicious behavior and reduce attacker dwell time.
• 🧑‍💻 A properly staffed and trained Security Operations Center (SOC) or managed detection and response service is crucial for responding to alerts.
• 📚 Staying updated with the latest research on threat actor TTPs, especially living-off-the-land techniques and RMM abuse, is vital for effective defense.