Skip to main content

A New Threat Actor Targeting Geopolitical Hotbeds

Medium
Published: Tue Aug 12 2025 (08/12/2025, 14:57:32 UTC)
Source: AlienVault OTX General

Description

Bitdefender Labs has uncovered a new threat actor group named Curly COMrades, operating since mid-2024 to support Russian interests. The group targets critical organizations in countries experiencing geopolitical shifts, focusing on judicial and government bodies in Georgia and an energy distribution company in Moldova. Their primary objective is to maintain long-term network access and steal credentials. The attackers use proxy tools like Resocks, SSH, and Stunnel to establish multiple entry points, and deploy a new backdoor called MucorAgent. They also utilize compromised legitimate websites as traffic relays to complicate detection. The group's tactics include credential theft, lateral movement, and data exfiltration, employing both custom and open-source tools.

AI-Powered Analysis

AILast updated: 08/12/2025, 16:34:43 UTC

Technical Analysis

The Curly COMrades threat actor group, identified by Bitdefender Labs in mid-2024, is a state-aligned cyber espionage entity supporting Russian geopolitical interests. Their operations focus on critical infrastructure and government institutions in regions undergoing geopolitical tension, specifically targeting judicial and governmental bodies in Georgia and an energy distribution company in Moldova. The group’s primary goal is to maintain persistent, long-term access to victim networks to conduct credential theft, lateral movement, and data exfiltration. They employ a sophisticated toolkit combining custom malware and open-source tools. A notable component is their proprietary backdoor named MucorAgent, which facilitates stealthy remote access. To evade detection and complicate attribution, Curly COMrades leverage proxy tools such as Resocks, SSH tunnels, and Stunnel, establishing multiple redundant entry points. Additionally, they exploit compromised legitimate websites as traffic relays, masking command and control communications within legitimate network traffic. Their tactics include credential dumping (T1003), lateral movement (T1021), process injection (T1055), and hijacking CLSID entries (T1212), among others, reflecting a mature and multi-faceted attack methodology. The absence of known exploits in the wild suggests targeted, selective operations rather than broad campaigns. Overall, Curly COMrades represent a persistent threat actor with capabilities tailored for espionage and network persistence in geopolitically sensitive environments.

Potential Impact

For European organizations, especially those in Eastern Europe and the Caucasus region, the Curly COMrades threat poses significant risks. The targeting of judicial and governmental bodies in Georgia and critical energy infrastructure in Moldova indicates a focus on destabilizing governance and energy supply chains, which could have cascading effects on regional stability and security. Credential theft and lateral movement capabilities enable the attackers to compromise additional systems, potentially leading to unauthorized access to sensitive data, disruption of critical services, and undermining trust in public institutions. The use of proxy tools and compromised legitimate websites complicates detection and incident response, increasing the likelihood of prolonged undetected intrusions. European organizations involved in energy distribution, government administration, or judicial functions, particularly those with connections or operational overlap with Georgian or Moldovan entities, may face indirect exposure or collateral risk. Furthermore, the geopolitical context heightens the threat of espionage and sabotage activities that could impact national security and critical infrastructure resilience within the European Union and neighboring states.

Mitigation Recommendations

To mitigate the Curly COMrades threat, European organizations should implement a multi-layered defense strategy tailored to advanced persistent threats (APTs). Specific recommendations include: 1) Enhance network segmentation and enforce strict access controls to limit lateral movement opportunities within networks. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with credential dumping, process injection, and backdoor activity, including monitoring for unusual use of proxy tools like Resocks, SSH tunnels, and Stunnel. 3) Conduct regular credential hygiene practices, including enforcing multi-factor authentication (MFA) for all privileged accounts and frequent password rotations to reduce the impact of credential theft. 4) Monitor network traffic for anomalies, especially outbound connections to suspicious or compromised legitimate websites used as traffic relays, employing threat intelligence feeds to identify known malicious domains. 5) Implement threat hunting exercises focused on detecting indicators of compromise related to MucorAgent and associated TTPs (tactics, techniques, and procedures). 6) Maintain up-to-date inventories of critical assets and conduct regular vulnerability assessments to identify and remediate potential entry points. 7) Foster information sharing with national cybersecurity centers and regional CERTs to stay informed about emerging threats and coordinated response efforts. 8) Train staff on social engineering risks and phishing awareness, as initial access vectors often exploit human factors.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://businessinsights.bitdefender.com/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds"]
Adversary
Curly COMrades
Pulse Id
689b565c2e425682d6ad72ef
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash063770f7e7eb52d83c97aa63c0a6f8a6
hash100454b6ae298627606d54d2427524c2
hash11ee26e1fa93d7c31197d8d28509df59
hash171f097c66ee0c6a69dde5da994ed8a7
hash23f7fb65686671e0b0bbc2ae9abec626
hash27f97ee371bb31238b9f945bdc4ccf65
hash2d007c5bd0b84ca9c9b4c6b4c17bd997
hash2f6bc7f137c689add399402e485aa604
hash2faa07a3babbe6e46107468e5b1d0b85
hash44a57a7c388af4d96771ab23e85b7f1e
hash465015009fa6d66a52cc670e2941edcd
hash4eedc056f970fce35e425f4cc80c1fc6
hash595ccc44bc6be7fb3f1eb98b724b0de0
hash5a8ff502d94fe51ba84e4c0627d43791
hash5d3e3160e8ce03661150451e4a2ef5e0
hash5ed6b17103b231e9ff2abda1094083e3
hash65dca8f16286c2e1fd7bf5ed52796c54
hash68f7a7c642ab9a58b42af4416052caa8
hash6d08bab1d4418db2a0b28d6d125181ac
hash6fc8f7e528c272c957ae4e2548c3aad3
hash7fd5258b5056a46340e28463feb2a956
hash8a95da943b4d02a01b61e5b422338b81
hash90c0fb97727c73c7b260a13ae5e01ad4
hash9f42bd90075e8a51b46af9315d11a1c7
hash9fcbcf340267782dcf99e4d4995954be
hasha7da2adf356a9055c3e827a22f817405
hashaf490e6e66d30e6c14e48ba968f50edf
hashb55e8e1d84d03ffe885e63a53a9acc7d
hashb5e61b541d09bd198a0f628f7d91e001
hashb9c99f411f7b23d50a8311ce85820353
hashc1cdca4f765f38675a4c4dfc5e5f7e59
hashc1ee06aec2a8ba13d61f443ec531fda9
hashccc79a123413544c916de995e3876bbd
hashcdf7e3e4f881e9a59edf779d408b88e8
hashd743a064f05b6b4041bdf22eac778f21
hashd92dfa7ed017f878c5eebfaedc1fbeaa
hashdd253f7403644cfa09d8e42a7120180d
hashe262c1606ee3db38eb80158f624eeda8
hashe9ef648f689e1ccaae5507500e7f9ecf
hashed71945940182f5b249542bfcc5df2f8
hashff14ba2e10a6c1d183fab730b0acaeb3
hashfbe5631d6371650d9885c21a66bf63aa8600670e
hasha8a764bef0de71c9b352b5cab89eeeda45f4b431b981b2316d20d67ee6cedcae

Ip

ValueDescriptionCopy
ip194.87.31.171
ip45.43.91.10
ip96.30.124.103

Threat ID: 689b692cad5a09ad00343c2e

Added to database: 8/12/2025, 4:17:48 PM

Last enriched: 8/12/2025, 4:34:43 PM

Last updated: 8/16/2025, 8:16:44 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats