Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds

    Wednesday, August 20, 2025 In: Threat Research Print

    Date: 08/20/2025

    Severity: Medium

    Summary

    A newly identified threat actor group, Curly COMrades, is targeting critical organizations in geopolitically sensitive regions, including government bodies in Georgia and an energy company in Moldova. Believed to support Russian interests, the group aims to maintain long-term access, steal credentials, and exfiltrate data. They use advanced techniques like NTDS extraction, LSASS dumping, and a custom backdoor called MucorAgent, which exploits Windows NGEN for covert persistence. Their operations are further concealed through proxy tools and compromised legitimate websites used as command-and-control relays.

    Indicators of Compromise (IOC) List

    IP Address

    75.127.13.136 

    207.180.194.109 

    91.107.174.190  

    96.30.124.103 

    45.43.91.10 

    194.87.31.171 

    Hash

    b55e8e1d84d03ffe885e63a53a9acc7d 

dd253f7403644cfa09d8e42a7120180d 

e9ef648f689e1ccaae5507500e7f9ecf 

ccc79a123413544c916de995e3876bbd 

c1ee06aec2a8ba13d61f443ec531fda9 

44a57a7c388af4d96771ab23e85b7f1e 

5a8ff502d94fe51ba84e4c0627d43791 

c1cdca4f765f38675a4c4dfc5e5f7e59 

b5e61b541d09bd198a0f628f7d91e001 

11ee26e1fa93d7c31197d8d28509df59 

ff14ba2e10a6c1d183fab730b0acaeb3 

e262c1606ee3db38eb80158f624eeda8 

9f42bd90075e8a51b46af9315d11a1c7 

dc40b5c914e5f41a6b4bc19831c88892 

2d007c5bd0b84ca9c9b4c6b4c17bd997 

7fd5258b5056a46340e28463feb2a956 

dc40b5c914e5f41a6b4bc19831c88892 

dc40b5c914e5f41a6b4bc19831c88892 

44a57a7c388af4d96771ab23e85b7f1e  

2f6bc7f137c689add399402e485aa604 

2faa07a3babbe6e46107468e5b1d0b85 

5ed6b17103b231e9ff2abda1094083e3 

23f7fb65686671e0b0bbc2ae9abec626 

27f97ee371bb31238b9f945bdc4ccf65 

6d08bab1d4418db2a0b28d6d125181ac 

65dca8f16286c2e1fd7bf5ed52796c54 

dc40b5c914e5f41a6b4bc19831c88892 

dc40b5c914e5f41a6b4bc19831c88892 

595ccc44bc6be7fb3f1eb98b724b0de0 

6fc8f7e528c272c957ae4e2548c3aad3 

8a95da943b4d02a01b61e5b422338b81 

cdf7e3e4f881e9a59edf779d408b88e8 

5d3e3160e8ce03661150451e4a2ef5e0 

171f097c66ee0c6a69dde5da994ed8a7 

100454b6ae298627606d54d2427524c2 

465015009fa6d66a52cc670e2941edcd 

d92dfa7ed017f878c5eebfaedc1fbeaa 

ed71945940182f5b249542bfcc5df2f8 

90c0fb97727c73c7b260a13ae5e01ad4 

9fcbcf340267782dcf99e4d4995954be 

4eedc056f970fce35e425f4cc80c1fc6 

a7da2adf356a9055c3e827a22f817405 

af490e6e66d30e6c14e48ba968f50edf 

b9c99f411f7b23d50a8311ce85820353 

d743a064f05b6b4041bdf22eac778f21 

68f7a7c642ab9a58b42af4416052caa8 

00d6a804da6a61292bceb123942117d5 

ff14ba2e10a6c1d183fab730b0acaeb3 

e5a7d0df12094e9db90242092891b10e

    Filenames

    c:\programdata\1.bat 

    c:\programdata\ca.exe 

    c:\programdata\ch_prm.bat 

    c:\programdata\curl.taskhandler.xml 

    c:\programdata\de434264-8fe9-4c0b-a83b-89ebeebff78e.reg  

    c:\programdata\documents.bat 

    c:\programdata\drm.exe 

    c:\programdata\getfolder.bat 

    c:\programdata\h.ps1 

    c:\programdata\list_ad.bat 

    c:\programdata\microsoft\devicesync\sync.conf 

    c:\programdata\oracle\java\java.exe 

    c:\programdata\q.bat 

    c:\programdata\r.ps1 

    c:\programdata\rar.bat 

    c:\programdata\reg_1.ps1 

    c:\programdata\reg_1.ps1  

    c:\programdata\reg.ps1 

    c:\programdata\rs.exe 

    c:\programdata\run.bat 

    c:\programdata\kb_upd.ps1 

    c:\programdata\samsung\printer\service.conf 

    c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\icon.png 

    c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\image 

    c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\index.png

    c:\programdata\microsoft\uev\templates\settingslocationtemplate2013c.xsd

    Scheduled Tasks 

    \microsoft\windows\devicedirectoryclient\registerdevicesusb 

    \microsoft\windows\devicedirectoryclient\registerdeviceprotectionusb 

    javaupdate  

    \mozilla\browser.visualupdate 

    microsoftedgeupdatetaskmachine 

    microsoftt  

    \microsoft\windows\updateorchestrator\check_ac 

    backup 

    Windows Services

    oraclejavasvc  

    msedgesvc

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    dstipaddress IN ("45.43.91.10","96.30.124.103","91.107.174.190","207.180.194.109","194.87.31.171","75.127.13.136") or srcipaddress IN ("45.43.91.10","96.30.124.103","91.107.174.190","207.180.194.109","194.87.31.171","75.127.13.136")

    Detection Query 2 :

    md5hash IN ("44a57a7c388af4d96771ab23e85b7f1e","2f6bc7f137c689add399402e485aa604","2d007c5bd0b84ca9c9b4c6b4c17bd997","e5a7d0df12094e9db90242092891b10e","5ed6b17103b231e9ff2abda1094083e3","b55e8e1d84d03ffe885e63a53a9acc7d","dd253f7403644cfa09d8e42a7120180d","e9ef648f689e1ccaae5507500e7f9ecf","ccc79a123413544c916de995e3876bbd","c1ee06aec2a8ba13d61f443ec531fda9","44a57a7c388af4d96771ab23e85b7f1e","5a8ff502d94fe51ba84e4c0627d43791","c1cdca4f765f38675a4c4dfc5e5f7e59","b5e61b541d09bd198a0f628f7d91e001","11ee26e1fa93d7c31197d8d28509df59","ff14ba2e10a6c1d183fab730b0acaeb3","e262c1606ee3db38eb80158f624eeda8","9f42bd90075e8a51b46af9315d11a1c7","dc40b5c914e5f41a6b4bc19831c88892","7fd5258b5056a46340e28463feb2a956","dc40b5c914e5f41a6b4bc19831c88892","dc40b5c914e5f41a6b4bc19831c88892","2faa07a3babbe6e46107468e5b1d0b85","23f7fb65686671e0b0bbc2ae9abec626","27f97ee371bb31238b9f945bdc4ccf65","6d08bab1d4418db2a0b28d6d125181ac","65dca8f16286c2e1fd7bf5ed52796c54","dc40b5c914e5f41a6b4bc19831c88892","dc40b5c914e5f41a6b4bc19831c88892","595ccc44bc6be7fb3f1eb98b724b0de0","6fc8f7e528c272c957ae4e2548c3aad3","8a95da943b4d02a01b61e5b422338b81","cdf7e3e4f881e9a59edf779d408b88e8","5d3e3160e8ce03661150451e4a2ef5e0","171f097c66ee0c6a69dde5da994ed8a7","100454b6ae298627606d54d2427524c2","465015009fa6d66a52cc670e2941edcd","d92dfa7ed017f878c5eebfaedc1fbeaa","ed71945940182f5b249542bfcc5df2f8","90c0fb97727c73c7b260a13ae5e01ad4","9fcbcf340267782dcf99e4d4995954be","4eedc056f970fce35e425f4cc80c1fc6","a7da2adf356a9055c3e827a22f817405","af490e6e66d30e6c14e48ba968f50edf","b9c99f411f7b23d50a8311ce85820353","d743a064f05b6b4041bdf22eac778f21","68f7a7c642ab9a58b42af4416052caa8","00d6a804da6a61292bceb123942117d5","ff14ba2e10a6c1d183fab730b0acaeb3")

    Detection Query 3 :

    (resourcename = "Windows Security"  AND eventtype = "4663") AND filename IN ("c:\programdata\1.bat","c:\programdata\ca.exe","c:\programdata\ch_prm.bat","c:\programdata\curl.taskhandler.xml","c:\programdata\de434264-8fe9-4c0b-a83b-89ebeebff78e.reg","c:\programdata\documents.bat","c:\programdata\drm.exe","c:\programdata\getfolder.bat","c:\programdata\h.ps1","c:\programdata\list_ad.bat","c:\programdata\microsoft\devicesync\sync.conf","c:\programdata\oracle\java\java.exe","c:\programdata\q.bat","c:\programdata\r.ps1","c:\programdata\rar.bat","c:\programdata\reg_1.ps1","c:\programdata\reg_1.ps1","c:\programdata\reg.ps1","c:\programdata\rs.exe","c:\programdata\run.bat","c:\programdata\kb_upd.ps1","c:\programdata\samsung\printer\service.conf","c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\icon.png","c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\image","c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\index.png","c:\programdata\microsoft\uev\templates\settingslocationtemplate2013c.xsd")

    Detection Query 4 :

    (technologygroup = "EDR") AND filename IN ("c:\programdata\1.bat","c:\programdata\ca.exe","c:\programdata\ch_prm.bat","c:\programdata\curl.taskhandler.xml","c:\programdata\de434264-8fe9-4c0b-a83b-89ebeebff78e.reg","c:\programdata\documents.bat","c:\programdata\drm.exe","c:\programdata\getfolder.bat","c:\programdata\h.ps1","c:\programdata\list_ad.bat","c:\programdata\microsoft\devicesync\sync.conf","c:\programdata\oracle\java\java.exe","c:\programdata\q.bat","c:\programdata\r.ps1","c:\programdata\rar.bat","c:\programdata\reg_1.ps1","c:\programdata\reg_1.ps1","c:\programdata\reg.ps1","c:\programdata\rs.exe","c:\programdata\run.bat","c:\programdata\kb_upd.ps1","c:\programdata\samsung\printer\service.conf","c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\icon.png","c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\image","c:\users\<user placeholder>\appdata\roaming\microsoft\windows\templates\curl\index.png","c:\programdata\microsoft\uev\templates\settingslocationtemplate2013c.xsd")

    Reference:    

    https://businessinsights.bitdefender.com/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds         


    Tags

    MalwareThreat ActorCurly COMradesGovernment Services and FacilitiesEnergycredential stealersExfiltrationMucorAgentBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.