Curly COMrades Georgia and Moldova cyber espionage campaign
Campaign
Summary
Hide ▲
Show ▼
The Curly COMrades espionage operation has expanded against entities in Georgia and Moldova, raising the risk of long-term network access and credential theft. The group is using MucorAgent, Ngen COM hijacking, and legitimate tools to blend into normal activity. The campaign matters because it is built for reconnaissance, persistence, and exfiltration rather than a one-time intrusion. The activity has been tracked since mid-2024, with evidence of MucorAgent use dating back to November 2023.
Related Happenings
Coldriver intensified high-profile espionage campaign
Campaign
First: 21.10.2025 13:02
Last: 21.10.2025 13:02
Sources 1
About this happening:
**Star Blizzard** (**ColdRiver/Calisto**) continued a **spear-phishing campaign** in **May and June 2025** against **Reporters Without Borders (RSF)** and another organization, us...
Coldriver intensified high-profile espionage campaign
CampaignAbout this happening: **Star Blizzard** (**ColdRiver/Calisto**) continued a **spear-phishing campaign** in **May and June 2025** against **Reporters Without Borders (RSF)** and another organization, us...
Latest development: 03.12.2025 18:45
Star Blizzard, also known as ColdRiver or Calisto, was identified in a fresh spear-phishing wave against Reporters Without Borders (RSF) and another organization. The operators used impersonated trusted contacts, a custom Adversary-in-the-Middle (AiTM) kit on account.simpleasip[.]org, modified ProtonMail interface elements, and attacker-controlled API handling for CAPTCHA and two-factor authentication (2FA) to harvest credentials.
Confucius Pakistan phishing campaign using WooperStealer and Anondoor
Campaign
First: 02.10.2025 17:44
Last: 02.10.2025 17:44
Sources 1
About this happening:
**Confucius** is running an active **phishing campaign** against **Pakistan** that uses **WooperStealer** and **Anondoor**, expanding the risk of credential theft and device compr...
Confucius Pakistan phishing campaign using WooperStealer and Anondoor
CampaignAbout this happening: **Confucius** is running an active **phishing campaign** against **Pakistan** that uses **WooperStealer** and **Anondoor**, expanding the risk of credential theft and device compr...
Gamaredon and Turla coordinated Ukraine compromise campaign
Campaign
First: 19.09.2025 11:24
Last: 19.09.2025 11:24
Sources 1
About this happening:
The **Gamaredon-Turla** collaboration has been tied to a **multi-stage campaign** against **Ukrainian entities**, expanding Russian access inside the country. In **February, April...
Gamaredon and Turla coordinated Ukraine compromise campaign
CampaignAbout this happening: The **Gamaredon-Turla** collaboration has been tied to a **multi-stage campaign** against **Ukrainian entities**, expanding Russian access inside the country. In **February, April...
Noisy Bear Kazakhstan oil and gas phishing campaign
Campaign
First: 11.09.2025 15:00
Last: 11.09.2025 15:00
Sources 1
About this happening:
The **Noisy Bear** operation is conducting **phishing-based intrusion activity** against **Kazakhstan's oil and gas sector**, creating espionage risk for **KazMunayGas** and relat...
Noisy Bear Kazakhstan oil and gas phishing campaign
CampaignAbout this happening: The **Noisy Bear** operation is conducting **phishing-based intrusion activity** against **Kazakhstan's oil and gas sector**, creating espionage risk for **KazMunayGas** and relat...
OldGremlin extortion campaign targeting Russian industrial enterprises
Campaign
First: 06.09.2025 18:13
Last: 06.09.2025 18:13
Sources 1
About this happening:
OldGremlin has resumed **extortion attacks** against **Russian industrial enterprises**, creating renewed operational risk for as many as **eight** large domestic targets. The gro...
OldGremlin extortion campaign targeting Russian industrial enterprises
CampaignAbout this happening: OldGremlin has resumed **extortion attacks** against **Russian industrial enterprises**, creating renewed operational risk for as many as **eight** large domestic targets. The gro...
Timeline
-
12.08.2025 16:00 1 articles · 9mo ago
Curly COMrades targets Georgia and Moldova
Initial DisclosureA previously undocumented threat actor dubbed Curly COMrades was observed targeting judicial and government bodies in Georgia and an energy distribution company in Moldova for long-term access, using MucorAgent, Ngen COM hijacking, Resocks, SSH, Stunnel, SOCKS5, CurlCat, RuRat, and Mimikatz to support credential theft, reconnaissance, and exfiltration.
Show sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00