Curly COMrades

Curly COMrades is a previously undocumented cyber-espionage threat actor tracked by Bitdefender since mid-2024 and assessed to operate in support of Russian geopolitical interests. Bitdefender reported insufficient evidence to attribute the activity to an existing known group, although Amazon noted overlap between a Russian-nexus cluster, Sandworm, and an actor Bitdefender tracks as Curly COMrades. Reported targets include judicial and government bodies in Georgia and an energy distribution company or energy firms in Moldova. The actor’s objective is long-term covert access, credential theft, lateral movement, and data exfiltration. Observed credential-access activity includes repeated attempts to extract NTDS.dit, LSASS dumping, and DCSync, using tooling and methods including Mimikatz, comsvcs.dll abuse, procdump, Volume Shadow Copy NTDS extraction, and custom or adapted LSASS dump tools. The group also used common discovery commands and Active Directory PowerShell cmdlets. Curly COMrades relies heavily on proxying, tunneling, and remote access tooling, including Resocks, SOCKS5 servers, SSH remote port forwarding, Stunnel, Ligolo-ng, Rsockstun, CCProxy, and the legitimate RMM tool Remote Utilities (RuRat). The actor also used compromised legitimate websites as relays for command-and-control and exfiltration to blend with normal traffic. Exfiltration was described as relatively infrequent and often manually driven, with data commonly staged in C:\Users\Public\Documents, archived with rar.exe, and uploaded with curl.exe. Bitdefender identified a custom three-stage .NET backdoor named MucorAgent. MucorAgent uses COM/CLSID hijacking for persistence tied to .NET NGEN scheduled task execution under SYSTEM, including observed hijacking of CLSIDs {de434264-8fe9-4c0b-a83b-89ebeebff78e} and {613fba38-a3df-4ab8-9674-5604984a299a}. It executes AES-encrypted PowerShell through the System.Management.Automation namespace without launching powershell.exe, applies an AMSI bypass, and exfiltrates results via curl.exe while disguising output as PNG data. A notable tradecraft element is abuse of Microsoft Hyper-V on compromised Windows 10 systems to create a hidden Alpine Linux-based virtual machine for stealthy operations and EDR evasion. The attackers enabled Hyper-V, disabled the Hyper-V management clients feature, imported a lightweight VM disguised as "WSL," and used Hyper-V’s Default Switch so outbound traffic appeared to originate from the host IP. Inside the VM they deployed two custom implants: CurlyShell, a persistent HTTPS reverse shell with cron-based persistence, and CurlCat, a reverse proxy/tunneling tool that wraps SSH traffic in HTTP/HTTPS requests. Bitdefender and the Georgian CERT also reported PowerShell-based post-exploitation including Kerberos ticket injection into LSASS and Group Policy-distributed scripts that created or reset local accounts for persistence. Known aliases and related names directly mentioned in the content are limited to Curly COMrades / curly_comrades. Custom malware and subcomponents associated with the actor include MucorAgent, CurlyShell, and CurlCat.