TZUTC: -0500   
   MSGID: 1363.consprcy@1:2320/105 2d032b2c   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Experts warn criminals are using backdoor malware to target governments   
      
   Date:   
   Wed, 13 Aug 2025 12:52:00 +0000   
      
   Description:   
   CurlyCOMrades are targeting Moldova and Georgia governments with MucorAgent.   
      
   FULL STORY   
      
   Cybersecurity researchers at Bitdefender recently spotted a new threat actor   
   using a never-before-seen piece of backdoor malware to target critical   
   infrastructure organizations in eastern Europe.    
      
   Bitdefender named the new group Curly COMrades, since it heavily relies on    
   the curl.exe tool to pull data and communicate with the C2 server, and since   
   it hijacks Component Object Model (COM) objects during its attacks.    
      
   In its attacks, Curly COMrades deploy a backdoor named MucorAgent, a custom   
   three-stage malware component, engineered as a .NET stealthy tool capable of   
   executing an AES-encrypted PowerShell script and uploading the resulting   
   output to a designated server. When in doubt - blame the Russians    
      
   In other words, its a piece of Windows malware that runs hidden commands,   
   keeps them encrypted to avoid detection, and sends the results back to the   
   attacker.    
      
   So far, identified victims include government and judicial organizations in   
   Georgia, and energy companies in Moldova.    
      
   Given the targets, the researchers believe the attackers are of Russian   
   origin, or at least Russia-aligned.    
      
   However, they did stress that there are no strong overlaps with known Russian   
   APT groups, but Curly COMrades operations align with the geopolitical goals    
   of the Russian Federation."    
      
   Bitdefender also could not determine the initial access vector - how crooks   
   managed to infiltrate the target endpoints to deploy MucorAgent to begin    
   with.    
      
   They claim to have seen installations of multiple proxy agents, including   
   Resocks which, they suspect, may have been used to that end.    
      
   Ever since Russias attention turned towards Ukraine in 2014 with the   
   annexation of Crimea, countries on its eastern border have lost the    
   spotlight. Georgia, however, is in a similar position to Ukraine, with two   
   regions declaring independence with the help of the Russian military - South   
   Ossetia, and Abkhazia. Therefore, it would make sense that Russias cyberspies   
   would like to keep tabs on neighboring countries and their diplomatic    
   efforts.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/experts-warn-criminals-are-using-backdo   
   or-malware-to-target-governments   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426