A New Threat Actor Targeting Geopolitical Hotbeds
Bitdefender Labs has uncovered a new threat actor group named Curly COMrades, operating since mid-2024 to support Russian interests. The group targets critical organizations in countries experiencing geopolitical shifts, focusing on judicial and government bodies in Georgia and an energy distribution company in Moldova. Their primary objective is to maintain long-term network access and steal credentials. The attackers use proxy tools like Resocks, SSH, and Stunnel to establish multiple entry points, and deploy a new backdoor called MucorAgent. They also utilize compromised legitimate websites as traffic relays to complicate detection. The group's tactics include credential theft, lateral movement, and data exfiltration, employing both custom and open-source tools.
AI Analysis
Technical Summary
The Curly COMrades threat actor group, identified by Bitdefender Labs in mid-2024, is a state-aligned cyber espionage entity supporting Russian geopolitical interests. Their operations focus on critical infrastructure and government institutions in regions undergoing geopolitical tension, specifically targeting judicial and governmental bodies in Georgia and an energy distribution company in Moldova. The group’s primary goal is to maintain persistent, long-term access to victim networks to conduct credential theft, lateral movement, and data exfiltration. They employ a sophisticated toolkit combining custom malware and open-source tools. A notable component is their proprietary backdoor named MucorAgent, which facilitates stealthy remote access. To evade detection and complicate attribution, Curly COMrades leverage proxy tools such as Resocks, SSH tunnels, and Stunnel, establishing multiple redundant entry points. Additionally, they exploit compromised legitimate websites as traffic relays, masking command and control communications within legitimate network traffic. Their tactics include credential dumping (T1003), lateral movement (T1021), process injection (T1055), and hijacking CLSID entries (T1212), among others, reflecting a mature and multi-faceted attack methodology. The absence of known exploits in the wild suggests targeted, selective operations rather than broad campaigns. Overall, Curly COMrades represent a persistent threat actor with capabilities tailored for espionage and network persistence in geopolitically sensitive environments.
Potential Impact
For European organizations, especially those in Eastern Europe and the Caucasus region, the Curly COMrades threat poses significant risks. The targeting of judicial and governmental bodies in Georgia and critical energy infrastructure in Moldova indicates a focus on destabilizing governance and energy supply chains, which could have cascading effects on regional stability and security. Credential theft and lateral movement capabilities enable the attackers to compromise additional systems, potentially leading to unauthorized access to sensitive data, disruption of critical services, and undermining trust in public institutions. The use of proxy tools and compromised legitimate websites complicates detection and incident response, increasing the likelihood of prolonged undetected intrusions. European organizations involved in energy distribution, government administration, or judicial functions, particularly those with connections or operational overlap with Georgian or Moldovan entities, may face indirect exposure or collateral risk. Furthermore, the geopolitical context heightens the threat of espionage and sabotage activities that could impact national security and critical infrastructure resilience within the European Union and neighboring states.
Mitigation Recommendations
To mitigate the Curly COMrades threat, European organizations should implement a multi-layered defense strategy tailored to advanced persistent threats (APTs). Specific recommendations include: 1) Enhance network segmentation and enforce strict access controls to limit lateral movement opportunities within networks. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with credential dumping, process injection, and backdoor activity, including monitoring for unusual use of proxy tools like Resocks, SSH tunnels, and Stunnel. 3) Conduct regular credential hygiene practices, including enforcing multi-factor authentication (MFA) for all privileged accounts and frequent password rotations to reduce the impact of credential theft. 4) Monitor network traffic for anomalies, especially outbound connections to suspicious or compromised legitimate websites used as traffic relays, employing threat intelligence feeds to identify known malicious domains. 5) Implement threat hunting exercises focused on detecting indicators of compromise related to MucorAgent and associated TTPs (tactics, techniques, and procedures). 6) Maintain up-to-date inventories of critical assets and conduct regular vulnerability assessments to identify and remediate potential entry points. 7) Foster information sharing with national cybersecurity centers and regional CERTs to stay informed about emerging threats and coordinated response efforts. 8) Train staff on social engineering risks and phishing awareness, as initial access vectors often exploit human factors.
Affected Countries
Georgia, Moldova, Ukraine, Poland, Romania, Lithuania, Latvia, Estonia
Indicators of Compromise
- hash: 063770f7e7eb52d83c97aa63c0a6f8a6
- hash: 100454b6ae298627606d54d2427524c2
- hash: 11ee26e1fa93d7c31197d8d28509df59
- hash: 171f097c66ee0c6a69dde5da994ed8a7
- hash: 23f7fb65686671e0b0bbc2ae9abec626
- hash: 27f97ee371bb31238b9f945bdc4ccf65
- hash: 2d007c5bd0b84ca9c9b4c6b4c17bd997
- hash: 2f6bc7f137c689add399402e485aa604
- hash: 2faa07a3babbe6e46107468e5b1d0b85
- hash: 44a57a7c388af4d96771ab23e85b7f1e
- hash: 465015009fa6d66a52cc670e2941edcd
- hash: 4eedc056f970fce35e425f4cc80c1fc6
- hash: 595ccc44bc6be7fb3f1eb98b724b0de0
- hash: 5a8ff502d94fe51ba84e4c0627d43791
- hash: 5d3e3160e8ce03661150451e4a2ef5e0
- hash: 5ed6b17103b231e9ff2abda1094083e3
- hash: 65dca8f16286c2e1fd7bf5ed52796c54
- hash: 68f7a7c642ab9a58b42af4416052caa8
- hash: 6d08bab1d4418db2a0b28d6d125181ac
- hash: 6fc8f7e528c272c957ae4e2548c3aad3
- hash: 7fd5258b5056a46340e28463feb2a956
- hash: 8a95da943b4d02a01b61e5b422338b81
- hash: 90c0fb97727c73c7b260a13ae5e01ad4
- hash: 9f42bd90075e8a51b46af9315d11a1c7
- hash: 9fcbcf340267782dcf99e4d4995954be
- hash: a7da2adf356a9055c3e827a22f817405
- hash: af490e6e66d30e6c14e48ba968f50edf
- hash: b55e8e1d84d03ffe885e63a53a9acc7d
- hash: b5e61b541d09bd198a0f628f7d91e001
- hash: b9c99f411f7b23d50a8311ce85820353
- hash: c1cdca4f765f38675a4c4dfc5e5f7e59
- hash: c1ee06aec2a8ba13d61f443ec531fda9
- hash: ccc79a123413544c916de995e3876bbd
- hash: cdf7e3e4f881e9a59edf779d408b88e8
- hash: d743a064f05b6b4041bdf22eac778f21
- hash: d92dfa7ed017f878c5eebfaedc1fbeaa
- hash: dd253f7403644cfa09d8e42a7120180d
- hash: e262c1606ee3db38eb80158f624eeda8
- hash: e9ef648f689e1ccaae5507500e7f9ecf
- hash: ed71945940182f5b249542bfcc5df2f8
- hash: ff14ba2e10a6c1d183fab730b0acaeb3
- hash: fbe5631d6371650d9885c21a66bf63aa8600670e
- hash: a8a764bef0de71c9b352b5cab89eeeda45f4b431b981b2316d20d67ee6cedcae
- ip: 194.87.31.171
- ip: 45.43.91.10
- ip: 96.30.124.103
A New Threat Actor Targeting Geopolitical Hotbeds
Description
Bitdefender Labs has uncovered a new threat actor group named Curly COMrades, operating since mid-2024 to support Russian interests. The group targets critical organizations in countries experiencing geopolitical shifts, focusing on judicial and government bodies in Georgia and an energy distribution company in Moldova. Their primary objective is to maintain long-term network access and steal credentials. The attackers use proxy tools like Resocks, SSH, and Stunnel to establish multiple entry points, and deploy a new backdoor called MucorAgent. They also utilize compromised legitimate websites as traffic relays to complicate detection. The group's tactics include credential theft, lateral movement, and data exfiltration, employing both custom and open-source tools.
AI-Powered Analysis
Technical Analysis
The Curly COMrades threat actor group, identified by Bitdefender Labs in mid-2024, is a state-aligned cyber espionage entity supporting Russian geopolitical interests. Their operations focus on critical infrastructure and government institutions in regions undergoing geopolitical tension, specifically targeting judicial and governmental bodies in Georgia and an energy distribution company in Moldova. The group’s primary goal is to maintain persistent, long-term access to victim networks to conduct credential theft, lateral movement, and data exfiltration. They employ a sophisticated toolkit combining custom malware and open-source tools. A notable component is their proprietary backdoor named MucorAgent, which facilitates stealthy remote access. To evade detection and complicate attribution, Curly COMrades leverage proxy tools such as Resocks, SSH tunnels, and Stunnel, establishing multiple redundant entry points. Additionally, they exploit compromised legitimate websites as traffic relays, masking command and control communications within legitimate network traffic. Their tactics include credential dumping (T1003), lateral movement (T1021), process injection (T1055), and hijacking CLSID entries (T1212), among others, reflecting a mature and multi-faceted attack methodology. The absence of known exploits in the wild suggests targeted, selective operations rather than broad campaigns. Overall, Curly COMrades represent a persistent threat actor with capabilities tailored for espionage and network persistence in geopolitically sensitive environments.
Potential Impact
For European organizations, especially those in Eastern Europe and the Caucasus region, the Curly COMrades threat poses significant risks. The targeting of judicial and governmental bodies in Georgia and critical energy infrastructure in Moldova indicates a focus on destabilizing governance and energy supply chains, which could have cascading effects on regional stability and security. Credential theft and lateral movement capabilities enable the attackers to compromise additional systems, potentially leading to unauthorized access to sensitive data, disruption of critical services, and undermining trust in public institutions. The use of proxy tools and compromised legitimate websites complicates detection and incident response, increasing the likelihood of prolonged undetected intrusions. European organizations involved in energy distribution, government administration, or judicial functions, particularly those with connections or operational overlap with Georgian or Moldovan entities, may face indirect exposure or collateral risk. Furthermore, the geopolitical context heightens the threat of espionage and sabotage activities that could impact national security and critical infrastructure resilience within the European Union and neighboring states.
Mitigation Recommendations
To mitigate the Curly COMrades threat, European organizations should implement a multi-layered defense strategy tailored to advanced persistent threats (APTs). Specific recommendations include: 1) Enhance network segmentation and enforce strict access controls to limit lateral movement opportunities within networks. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with credential dumping, process injection, and backdoor activity, including monitoring for unusual use of proxy tools like Resocks, SSH tunnels, and Stunnel. 3) Conduct regular credential hygiene practices, including enforcing multi-factor authentication (MFA) for all privileged accounts and frequent password rotations to reduce the impact of credential theft. 4) Monitor network traffic for anomalies, especially outbound connections to suspicious or compromised legitimate websites used as traffic relays, employing threat intelligence feeds to identify known malicious domains. 5) Implement threat hunting exercises focused on detecting indicators of compromise related to MucorAgent and associated TTPs (tactics, techniques, and procedures). 6) Maintain up-to-date inventories of critical assets and conduct regular vulnerability assessments to identify and remediate potential entry points. 7) Foster information sharing with national cybersecurity centers and regional CERTs to stay informed about emerging threats and coordinated response efforts. 8) Train staff on social engineering risks and phishing awareness, as initial access vectors often exploit human factors.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://businessinsights.bitdefender.com/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds"]
- Adversary
- Curly COMrades
- Pulse Id
- 689b565c2e425682d6ad72ef
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash063770f7e7eb52d83c97aa63c0a6f8a6 | — | |
hash100454b6ae298627606d54d2427524c2 | — | |
hash11ee26e1fa93d7c31197d8d28509df59 | — | |
hash171f097c66ee0c6a69dde5da994ed8a7 | — | |
hash23f7fb65686671e0b0bbc2ae9abec626 | — | |
hash27f97ee371bb31238b9f945bdc4ccf65 | — | |
hash2d007c5bd0b84ca9c9b4c6b4c17bd997 | — | |
hash2f6bc7f137c689add399402e485aa604 | — | |
hash2faa07a3babbe6e46107468e5b1d0b85 | — | |
hash44a57a7c388af4d96771ab23e85b7f1e | — | |
hash465015009fa6d66a52cc670e2941edcd | — | |
hash4eedc056f970fce35e425f4cc80c1fc6 | — | |
hash595ccc44bc6be7fb3f1eb98b724b0de0 | — | |
hash5a8ff502d94fe51ba84e4c0627d43791 | — | |
hash5d3e3160e8ce03661150451e4a2ef5e0 | — | |
hash5ed6b17103b231e9ff2abda1094083e3 | — | |
hash65dca8f16286c2e1fd7bf5ed52796c54 | — | |
hash68f7a7c642ab9a58b42af4416052caa8 | — | |
hash6d08bab1d4418db2a0b28d6d125181ac | — | |
hash6fc8f7e528c272c957ae4e2548c3aad3 | — | |
hash7fd5258b5056a46340e28463feb2a956 | — | |
hash8a95da943b4d02a01b61e5b422338b81 | — | |
hash90c0fb97727c73c7b260a13ae5e01ad4 | — | |
hash9f42bd90075e8a51b46af9315d11a1c7 | — | |
hash9fcbcf340267782dcf99e4d4995954be | — | |
hasha7da2adf356a9055c3e827a22f817405 | — | |
hashaf490e6e66d30e6c14e48ba968f50edf | — | |
hashb55e8e1d84d03ffe885e63a53a9acc7d | — | |
hashb5e61b541d09bd198a0f628f7d91e001 | — | |
hashb9c99f411f7b23d50a8311ce85820353 | — | |
hashc1cdca4f765f38675a4c4dfc5e5f7e59 | — | |
hashc1ee06aec2a8ba13d61f443ec531fda9 | — | |
hashccc79a123413544c916de995e3876bbd | — | |
hashcdf7e3e4f881e9a59edf779d408b88e8 | — | |
hashd743a064f05b6b4041bdf22eac778f21 | — | |
hashd92dfa7ed017f878c5eebfaedc1fbeaa | — | |
hashdd253f7403644cfa09d8e42a7120180d | — | |
hashe262c1606ee3db38eb80158f624eeda8 | — | |
hashe9ef648f689e1ccaae5507500e7f9ecf | — | |
hashed71945940182f5b249542bfcc5df2f8 | — | |
hashff14ba2e10a6c1d183fab730b0acaeb3 | — | |
hashfbe5631d6371650d9885c21a66bf63aa8600670e | — | |
hasha8a764bef0de71c9b352b5cab89eeeda45f4b431b981b2316d20d67ee6cedcae | — |
Ip
Value | Description | Copy |
---|---|---|
ip194.87.31.171 | — | |
ip45.43.91.10 | — | |
ip96.30.124.103 | — |
Threat ID: 689b692cad5a09ad00343c2e
Added to database: 8/12/2025, 4:17:48 PM
Last enriched: 8/12/2025, 4:34:43 PM
Last updated: 8/18/2025, 7:34:41 PM
Views: 12
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumThreatFox IOCs for 2025-08-17
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.