Particle.news
Download on the App Store
4 ARTICLES
·
4d ago

Bitdefender Exposes Curly COMrades’ Stealthy MucorAgent Backdoor and Unconventional .NET Persistence

The campaign hijacks a dormant .NET scheduled task for covert persistence by blending legitimate proxies to evade detection

Image
Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe

Overview

  • Curly COMrades have conducted a sustained cyber-espionage effort since mid-2024 against Georgian government and judicial bodies and a Moldovan energy distributor
  • MucorAgent operates as a bespoke three-stage .NET backdoor capable of executing AES-encrypted PowerShell scripts and uploading outputs to attacker servers
  • Persistence is achieved by hijacking CLSIDs tied to the .NET Native Image Generator’s disabled scheduled task, which intermittently reactivates to restore the implant
  • Operators leverage LOLBins and proxy tools—including Resocks, SSH/Stunnel, SOCKS5 and CurlCat—and compromised websites to maintain redundant C2 and exfiltration channels
  • Despite using stealth techniques, modern EDR and XDR sensors generate alerts, though the initial access vector remains unknown and operations point to Russian-aligned strategic aims