CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Curly COMrades APT Targets Georgian and Moldovan Entities via NGEN COM Hijacking

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Curly COMrades, a newly identified threat actor, has been conducting cyber espionage campaigns against entities in Georgia and Moldova since at least November 2023. The group targets judicial and government bodies in Georgia, as well as an energy distribution company in Moldova, aiming to establish long-term access to networks for reconnaissance and credential theft. The attacks leverage the NGEN COM hijacking technique to maintain persistence and use a variety of legitimate tools and custom malware, including MucorAgent, to exfiltrate data and execute commands. The group's activities align with Russia's geopolitical interests, focusing on stealth and minimal detection. Additionally, a state-backed Russian threat actor, Storm-1679 (aka Matryoshka), is targeting the 2025 Moldovan elections with a disinformation campaign. This campaign involves biased news articles against current Moldovan leadership and false headlines about the government, aiming to disrupt Moldova's efforts to join the European Union.

Timeline

  1. 24.09.2025 23:01 1 articles · 5d ago

    Storm-1679 targets Moldovan elections with disinformation campaign

    A state-backed Russian threat actor, Storm-1679 (aka Matryoshka), is targeting the 2025 Moldovan elections with a disinformation campaign. This campaign involves biased news articles against current Moldovan leadership and false headlines about the government, aiming to disrupt Moldova's efforts to join the European Union. The campaign is linked to Absatz, a Russian propaganda effort registered with Roskomnadzor in March 2022, and is run by Shakhnazarov M. S., a known propagandist based in Russia. The campaign uses infrastructure and technical fingerprints reused from previous campaigns dating back to 2022.

    Show sources
  2. 12.08.2025 16:00 1 articles · 1mo ago

    Curly COMrades APT Targets Georgian and Moldovan Entities via NGEN COM Hijacking

    Curly COMrades, a newly identified threat actor, has been conducting cyber espionage campaigns against entities in Georgia and Moldova since at least November 2023. The group targets judicial and government bodies in Georgia, as well as an energy distribution company in Moldova, aiming to establish long-term access to networks for reconnaissance and credential theft. The attacks leverage the NGEN COM hijacking technique to maintain persistence and use a variety of legitimate tools and custom malware, including MucorAgent, to exfiltrate data and execute commands.

    Show sources

Information Snippets

Similar Happenings

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Kazakhstan Energy Sector Phishing Test Mistaken for Noisy Bear Campaign

A phishing campaign targeting KazMunayGas employees was initially attributed to the Noisy Bear threat actor. The activity, codenamed Operation BarrelFire, involved phishing emails with malicious attachments designed to deliver a reverse shell. However, KazMunayGas clarified that the campaign was a planned phishing test conducted in May 2025. The campaign utilized a compromised email address from KazMunayGas's finance department to send phishing emails containing a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file. The payloads included a batch script and a PowerShell loader named DOWNSHELL, culminating in the deployment of a DLL-based implant. The infrastructure was hosted on the Russia-based bulletproof hosting service Aeza Group, which was sanctioned by the U.S. in July 2025. The campaign was initially linked to a new threat group tracked by Seqrite Labs as Noisy Bear, active since at least April 2025. Seqrite Labs disputed KazMunayGas's claim that the attack was a security exercise, citing forensic clues and infrastructure overlaps with other Central Asian attacks. The threat activity has geopolitical implications, targeting a state-owned oil and gas company in Kazakhstan, which is a significant player in Europe's energy market.

Global Phishing Campaign Installs Multiple RATs via JavaScript Droppers

A rapidly spreading phishing campaign is targeting Windows users worldwide, stealing credentials and deploying various remote access trojans (RATs) using malicious JavaScript files. The campaign affects multiple sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality. The attackers use personalized phishing pages and socially engineered scenarios to lure victims into downloading the malware. The campaign involves multiple stages, including an initial obfuscated script, a spoofed site, and the deployment of RATs such as PureHVNC, DCRat, and Babylon RAT. The attackers employ sophisticated techniques to evade detection and maintain long-term access to compromised networks. The campaign has been observed in countries including Austria, Belarus, Canada, Egypt, India, and Pakistan. The phishing emails use themes related to voicemail messages and purchases to deceive recipients into clicking on malicious links. The initial payload is a ZIP archive containing an obfuscated JavaScript file that acts as a dropper for UpCrypter, which functions as a conduit for various RATs. The malware uses steganography to embed the final payload within a harmless-looking image and includes anti-analysis and anti-virtual machine checks to evade detection. The malware is executed without writing to the file system, minimizing forensic traces. The campaign is part of a larger trend where threat actors abuse legitimate services for phishing attacks. A new campaign impersonates Ukrainian government agencies to deliver CountLoader, which drops Amatera Stealer and PureMiner. The phishing emails contain malicious SVG files designed to trick recipients into opening harmful attachments. The SVG files initiate the download of a password-protected ZIP archive containing a CHM file, which activates CountLoader. CountLoader drops various payloads, including Cobalt Strike, AdaptixC2, and PureHVNC RAT, and in this case, Amatera Stealer and PureMiner. Amatera Stealer gathers system information, collects files, and harvests data from various applications and browsers. A Vietnamese-speaking threat group uses phishing emails with copyright infringement notice themes to deploy PXA Stealer, which evolves into PureRAT. PureRAT is a modular, professionally developed backdoor that gives attackers complete control over a compromised host. The campaign demonstrates a progression from simple phishing lures to multi-layered infection sequences involving defense evasion and credential theft.

Russian FSB-linked Hackers Exploit Cisco Smart Install Vulnerability for Cyber Espionage

Static Tundra, a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and IOS XE software (CVE-2018-0171) to gain persistent access to target networks. The group has been targeting organizations in telecommunications, higher education, manufacturing, and critical infrastructure sectors across multiple continents. The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations to achieve long-term access and information gathering. The FBI and Cisco Talos have issued advisories warning about the ongoing campaign, which has been active for over a year and has targeted critical infrastructure sectors in the US and abroad. The group has also increased attacks on Ukraine since the start of the war. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions. Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install to mitigate the risk. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns.

XenoRAT malware campaign targets embassies in South Korea

A state-sponsored espionage campaign, attributed to North Korean threat actors, has been targeting foreign embassies and defense-related institutions in South Korea since March 2025 to deploy XenoRAT malware. The campaign, which has launched at least 19 spearphishing attacks, uses highly contextual and multilingual lures to deliver malicious payloads via GitHub and cloud storage services. The latest attack involved deepfakes of South Korean military identification documents, targeting journalists, researchers, and human-rights activists with themes related to sensitive topics. The campaign's infrastructure and techniques match those of North Korean actor Kimsuky (APT43), but some indicators suggest possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. It is loaded directly into memory and obfuscated to maintain a stealthy presence on infected systems.