A New Threat Actor Targeting Geopolitical Hotbeds

SUMMARY :

Bitdefender Labs has uncovered a new threat actor group named Curly COMrades, operating since mid-2024 to support Russian interests. The group targets critical organizations in countries experiencing geopolitical shifts, focusing on judicial and government bodies in Georgia and an energy distribution company in Moldova. Their primary objective is to maintain long-term network access and steal credentials. The attackers use proxy tools like Resocks, SSH, and Stunnel to establish multiple entry points, and deploy a new backdoor called MucorAgent. They also utilize compromised legitimate websites as traffic relays to complicate detection. The group's tactics include credential theft, lateral movement, and data exfiltration, employing both custom and open-source tools.

OPENCTI LABELS :

backdoor,lateral movement,russia,credential theft,geopolitical,georgia,moldova,resocks,clsid hijacking,mucoragent,proxy tools


AI COMMENTARY :

1. Introduction: In mid-2024, Bitdefender Labs uncovered a previously unknown threat actor dubbed Curly COMrades, whose operations appear tightly aligned with Russian strategic interests. This group has swiftly emerged as a formidable adversary by focusing its efforts on critical infrastructure and government institutions in regions currently experiencing acute geopolitical pressures. By deliberately targeting nations like Georgia and Moldova, Curly COMrades demonstrates a sophisticated understanding of both the political landscape and the high-value assets that underpin regional stability. Their activity underscores a growing trend in modern cyber warfare where state-aligned actors seek to influence or destabilize global affairs through cyber means.

2. The Rise of Curly COMrades: Evidence suggests Curly COMrades has been active since mid-2024, leveraging its technical prowess to maintain persistent footholds within networks of judicial and governmental bodies. This emergence coincides with heightened tensions across geopolitical hotbeds, signaling a potential correlation between on-the-ground conflicts and remote cyber campaigns. By openly supporting Russian objectives, the group crafts a digital extension of geopolitical strategy. Researchers have observed a marked increase in probing activities against Georgian court systems and Moldova’s energy sector, indicating a targeted reconnaissance phase that paves the way for deeper infiltration and long-term presence.

3. Target Profile and Strategic Objectives: Curly COMrades selects targets with clear strategic value. In Georgia, the group specifically shadows judicial and government organizations to gather sensitive legal data and possibly influence decision-making processes. In Moldova, a critical energy distribution company has become the primary victim, raising concerns about potential sabotage, extortion or public disruption. The overarching goal of these operations is twofold: to secure long-term access through multiple backdoors and to harvest credentials that can later be weaponized for lateral movements or sold on underground markets. By sustaining network presence over months or even years, Curly COMrades can escalate the impact of its espionage or sabotage activities down the line.

4. Tactics, Techniques, and Tools: A hallmark of Curly COMrades operations is its use of diverse proxy tools such as Resocks, SSH and Stunnel to mask traffic and create multiple redundant entry points. These tools are complemented by a newly identified backdoor named MucorAgent, which grants the attackers stealthy command-and-control capabilities. In addition to proprietary malware, Curly COMrades repurposes legitimate websites as unwitting traffic relays. This CLSID hijacking tactic not only complicates attribution but also frustrates defenders by blending malicious activity with normal web traffic. The combination of custom-developed implants and open-source utilities exemplifies a hybrid approach that maximizes operational flexibility.

5. Attack Lifecycle: The typical Curly COMrades campaign begins with reconnaissance and spear-phishing to steal initial credentials. Once inside, the group carries out credential theft at scale, deploying password-stealing scripts and harvesting tokens. With legitimate credentials in hand, the attackers move laterally across networks, escalating privileges until they reach their high-value targets. Data exfiltration follows, often executed through encrypted proxy channels to evade detection. By monitoring the network for weeks or months, Curly COMrades ensures that it can revisit compromised systems at will, expanding its access points and adapting its methods in response to defensive measures.

6. Implications for Security and Mitigation Strategies: The activities of Curly COMrades highlight the urgent need for organizations in geopolitical hotspots to adopt a layered defense posture. Continuous network monitoring, robust credential hygiene including multi-factor authentication, and strict proxy usage policies are essential to thwarting similar adversaries. Regular threat hunting exercises can uncover suspicious proxy chains, while timely patch management reduces the risk of CLSID hijacking. Most importantly, fostering collaboration between private cybersecurity firms and government agencies will accelerate threat intelligence sharing, enabling a coordinated response to nation-aligned threat actors. Only by understanding groups like Curly COMrades in both technical and strategic contexts can defenders hope to protect critical infrastructure from the next wave of geopolitical cyber offensives.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


A New Threat Actor Targeting Geopolitical Hotbeds