MucorAgent Windows persistence backdoor
Malware Activity
Summary
Hide ▲
Show ▼
The MucorAgent backdoor now stands out as a persistent-access threat because it can restore control over Windows endpoints and execute attacker payloads under SYSTEM. It abuses CLSID hijacking against Ngen in the .NET Framework to blend persistence into legitimate system behavior. The implant can run an encrypted PowerShell payload and upload the output to an attacker-controlled server. Confirmed use reaches back to November 2023, indicating a longer-running malware operation than the mid-2024 tracking window alone suggests.
Timeline
-
12.08.2025 03:00 1 articles · 9mo ago
Bitdefender details MucorAgent Windows persistence backdoor
Technical Analysis UpdateBitdefender describes MucorAgent as a bespoke .NET backdoor used in Curly COMrades operations against judicial and government bodies in Georgia and an energy distribution company in Moldova. The implant hijacks CLSIDs to abuse Native Image Generator (Ngen), can execute malicious commands under SYSTEM, and can run encrypted PowerShell scripts while uploading output to a designated server. The campaign had been tracked since mid-2024, and the earliest confirmed use of MucorAgent was in November 2023.
Show sources
- New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks — thehackernews.com — 12.08.2025 16:00