A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data.
A new hacking group with ties to Russia has been identified by cybersecurity researchers at Bitdefender. The group, dubbed Curly COMrades, is actively targeting countries in Eastern Europe that are experiencing geopolitical tensions.
According to Bitdefender’s investigation, shared with Hackread.com ahead of its publication, the attacks began in mid-2024. The group’s targets include government bodies and an energy distribution company in Eastern Europe, specifically in Georgia and Moldova, where geopolitical tensions are high. The main goal of these hackers is to spy on their targets and steal sensitive information.
The Curly COMrades is using advanced techniques to stay hidden and maintain long-term access to their victims’ computer networks. One of their key tools is a new type of backdoor called MucorAgent. What makes this malware particularly clever is how it stays on a computer. The hackers found a way to hijack a built-in Windows component called NGEN, which normally helps applications run faster.
By exploiting a dormant scheduled task within NGEN, the hackers can secretly reactivate their malware at random times, such as when the computer is idle or a new program is installed. This unpredictable method makes it much harder for security teams to detect and remove the threat. Researchers noted that this technique, leveraging CLSID hijacking in conjunction with NGEN, is “unprecedented in our observations.”
The group also uses specialized proxy tools like Resocks and Stunnel, as well as other methods like Mimikatz and DCSync, to steal passwords and other credentials. This tactic helps them blend in with normal internet activity, bypassing many security systems.
So, what happens is that Curly COMrades gain access to a computer network, set up a secret pathway using tools like Resocks and Stunnel, and install MucorAgent malware. This malware tricks NGEN, hijacking a hidden task and reappearing even after removal. Hackers use compromised websites as decoys to send the stolen information back to their servers, making it difficult to trace.
In their technical report, Bitdefender explained that the group’s name, Curly COMrades, comes from the hackers’ heavy use of the “curl.exe” tool and their focus on hijacking COM objects. Researchers chose the name to avoid giving threat actors “cool” or “fancy” names, as is the current trend within the cybersecurity community, arguing that it can inadvertently glorify them. They believe that by choosing a less flattering name, they can “de-glamorize cybercrime, stripping away any perception of sophistication or mystique.”
