Curly COMrades APT Targets Georgian and Moldovan Entities Using NGEN COM Hijacking
Summary
Hide ▲
Show ▼
Curly COMrades, a newly identified APT group, has been targeting government and judicial bodies in Georgia and an energy distribution company in Moldova since at least November 2023. The group employs a methodical approach to gain long-term access to target networks, using legitimate tools and custom malware to extract sensitive data and maintain persistence. The attackers focus on extracting NTDS databases and LSASS memory to obtain user credentials. They use the MucorAgent backdoor to hijack COM objects in the Native Image Generator (Ngen) component of the .NET Framework, enabling persistent access and command execution under the SYSTEM account. The group's tactics include using compromised websites as C2 relays and leveraging tools like CurlCat, RuRat, Mimikatz, and PowerShell scripts for data exfiltration and reconnaissance.
Timeline
-
12.08.2025 16:00 📰 1 articles
Curly COMrades APT Targets Georgian and Moldovan Entities
Curly COMrades, a newly identified APT group, has been targeting government and judicial bodies in Georgia and an energy distribution company in Moldova since at least November 2023. The group uses the MucorAgent backdoor to hijack COM objects in the Native Image Generator (Ngen) component of the .NET Framework, enabling persistent access and command execution under the SYSTEM account. The attackers focus on extracting NTDS databases and LSASS memory to obtain user credentials. They employ a methodical approach to gain long-term access to target networks, using legitimate tools and custom malware to extract sensitive data and maintain persistence.
Show sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
Information Snippets
-
Curly COMrades targets judicial and government bodies in Georgia and an energy distribution company in Moldova.
First reported: 12.08.2025 16:00📰 1 source, 1 articleShow sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
-
The campaign began at least as early as November 2023, with tracking starting in mid-2024.
First reported: 12.08.2025 16:00📰 1 source, 1 articleShow sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
-
The group uses the MucorAgent backdoor to hijack COM objects in the Native Image Generator (Ngen) component.
First reported: 12.08.2025 16:00📰 1 source, 1 articleShow sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
-
The attackers aim to extract NTDS databases and LSASS memory to obtain user credentials.
First reported: 12.08.2025 16:00📰 1 source, 1 articleShow sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
-
Legitimate tools like Resocks, SSH, Stunnel, and SOCKS5 are used to create multiple conduits into internal networks.
First reported: 12.08.2025 16:00📰 1 source, 1 articleShow sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
-
The group uses compromised websites as C2 relays to blend malicious traffic with normal network activity.
First reported: 12.08.2025 16:00📰 1 source, 1 articleShow sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
-
The attackers employ a modular .NET implant, MucorAgent, for executing encrypted PowerShell scripts and uploading outputs to a designated server.
First reported: 12.08.2025 16:00📰 1 source, 1 articleShow sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00
Similar Happenings
ChillyHell macOS Backdoor Resurfaces with New Capabilities
The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.
TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs
A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker API’s port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the host’s utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.
MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users
A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.
TAG-150 Expands Operations with CastleRAT in Python and C
The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.
GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module
GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.