The Curly COMrades threat actor group, identified by Bitdefender Labs in mid-2024, is a state-aligned cyber espionage entity supporting Russian geopolitical interests. Their operations focus on critical infrastructure and government institutions in regions undergoing geopolitical tension, specifically targeting judicial and governmental bodies in Georgia and an energy distribution company in Moldova. The group’s primary goal is to maintain persistent, long-term access to victim networks to conduct credential theft, lateral movement, and data exfiltration. They employ a sophisticated toolkit combining custom malware and open-source tools. A notable component is their proprietary backdoor named MucorAgent, which facilitates stealthy remote access. To evade detection and complicate attribution, Curly COMrades leverage proxy tools such as Resocks, SSH tunnels, and Stunnel, establishing multiple redundant entry points. Additionally, they exploit compromised legitimate websites as traffic relays, masking command and control communications within legitimate network traffic. Their tactics include credential dumping (T1003), lateral movement (T1021), process injection (T1055), and hijacking CLSID entries (T1212), among others, reflecting a mature and multi-faceted attack methodology. The absence of known exploits in the wild suggests targeted, selective operations rather than broad campaigns. Overall, Curly COMrades represent a persistent threat actor with capabilities tailored for espionage and network persistence in geopolitically sensitive environments.

For European organizations, especially those in Eastern Europe and the Caucasus region, the Curly COMrades threat poses significant risks. The targeting of judicial and governmental bodies in Georgia and critical energy infrastructure in Moldova indicates a focus on destabilizing governance and energy supply chains, which could have cascading effects on regional stability and security. Credential theft and lateral movement capabilities enable the attackers to compromise additional systems, potentially leading to unauthorized access to sensitive data, disruption of critical services, and undermining trust in public institutions. The use of proxy tools and compromised legitimate websites complicates detection and incident response, increasing the likelihood of prolonged undetected intrusions. European organizations involved in energy distribution, government administration, or judicial functions, particularly those with connections or operational overlap with Georgian or Moldovan entities, may face indirect exposure or collateral risk. Furthermore, the geopolitical context heightens the threat of espionage and sabotage activities that could impact national security and critical infrastructure resilience within the European Union and neighboring states.

To mitigate the Curly COMrades threat, European organizations should implement a multi-layered defense strategy tailored to advanced persistent threats (APTs). Specific recommendations include: 1) Enhance network segmentation and enforce strict access controls to limit lateral movement opportunities within networks. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with credential dumping, process injection, and backdoor activity, including monitoring for unusual use of proxy tools like Resocks, SSH tunnels, and Stunnel. 3) Conduct regular credential hygiene practices, including enforcing multi-factor authentication (MFA) for all privileged accounts and frequent password rotations to reduce the impact of credential theft. 4) Monitor network traffic for anomalies, especially outbound connections to suspicious or compromised legitimate websites used as traffic relays, employing threat intelligence feeds to identify known malicious domains. 5) Implement threat hunting exercises focused on detecting indicators of compromise related to MucorAgent and associated TTPs (tactics, techniques, and procedures). 6) Maintain up-to-date inventories of critical assets and conduct regular vulnerability assessments to identify and remediate potential entry points. 7) Foster information sharing with national cybersecurity centers and regional CERTs to stay informed about emerging threats and coordinated response efforts. 8) Train staff on social engineering risks and phishing awareness, as initial access vectors often exploit human factors.