New ‘Curly’ threat actor found targeting sensitive organizations in Georgia, Moldova

State organizations in Moldova and Georgia were attacked in recent months by a threat actor researchers believe is operating to support Russian interests.

The threat actor has operated since late 2024 and launched espionage attacks against judicial and government bodies in Georgia as well as an energy distribution company in Moldova.

Cybersecurity firm Bitdefender, which released a study on the campaign, named the group “Curly COMrades,” in reference to the tools used during attacks. The group has been targeting “critical organizations in countries facing significant geopolitical shifts,” they said, and their operations align with the geopolitical goals of the Russian government.

The goal of the group appears to be maintaining long-term access to targeted networks and stealing valid credentials, which allows them to move around the network and collect and transmit data, Bitdefender explained. 

“The campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments,” they said. 

“Exfiltration activity was deliberately sparse and manually executed to avoid triggering alerts. Files of interest — including credentials, domain information, and internal application data — were staged in publicly accessible locations on victim machines… and then archived and exfiltrated to attacker-controlled servers.”

The threat actors repeatedly tried to extract certain databases that held user passwords and authentication data. They also used proxy tools to create multiple ways into internal networks. 

Bitdefender found the hackers also using compromised but legitimate websites as traffic relays — allowing them to blend malicious traffic in with normal network activity and making it difficult for defenders to detect or attribute the actions. 

“By routing command-and-control (C2) and data exfiltration through seemingly harmless sites, they bypass defenses that trust known domains and hide their true infrastructure,” Bitdefender explained. “It's very likely that what we've observed is just a small part of a much larger network of compromised web infrastructure they control.”

The researchers said they looked for any overlaps with other known threat groups but could only find minor similarities. 

Martin Zugec, technical solutions director at Bitdefender, said the campaign stood out to them because the attackers used clever techniques to maintain their access to systems.

The hackers take over a tool installed on Windows operating systems by default and use a scheduled task “which the operating system occasionally enables and executes at unpredictable times, such as during idle periods or new application deployments.”

When the scheduled task runs, it is hijacked and redirected to a malicious implant that creates a “stealthy way to regain access,” Zugec told Recorded Future News. 

The hackers also used a complex and new malware called MucorAgent that was found on multiple systems within one of the targeted organizations. The researchers said the design of the malware “suggests that its execution was intended to occur periodically — most likely for the purpose of data collection and exfiltration.”

They relied heavily on publicly available tools, open-source projects and more, showing “a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.”