
Curly COMrades: Hidden Hyper-V VM Operation
Indicators of Compromise
No domains found for this campaign
APT Groups1
Overview : Curly COMrades is a Russian-speaking threat actor group with links to disinformation campaigns and coordinated cyber operations across Eastern Europe. The group is suspected of running influence operations in parallel with traditional espionage. Key Characteristics :- Focuses on psychological operations, information warfare, and cyber influence- Uses custom implants and credential-harvesting tools- Operates under personas aligned with hacktivist or pro-Russian themes Indicators of Attack (IoA) :- Use of phishing pages mimicking NATO and EU entities- Deployment of backdoors and web shell scripts- Hosting of fake news content on compromised media sites Recent Activities and Trends :- Disinformation around Ukraine conflict- Credential phishing targeting government officials- Telegram-based coordination with other aligned actors
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1543.003 - Create or Modify System Process: Windows Service
ID | Name | Analytic ID | Analytic Description |
Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names. |
T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions
ID | Name | Analytic ID | Analytic Description |
Detection Strategy for Kernel Modules and Extensions Autostart Execution | Monitor kernel module load/unload activity via modprobe, insmod, rmmod, or direct manipulation of /lib/modules. Correlate with installation of kernel headers, compilation commands, or downloads of .ko files. Detect anomalies in unsigned module loading or repeated module load attempts under non-root users. | ||
Detect user-initiated kextload commands or modifications to /Library/Extensions. Correlate with changes to KextPolicy database or unauthorized developer signing identities. Alert on attempts to disable SIP or load legacy extensions from unsigned sources. |
T1543.003 - Windows Service
ID | Name | Analytic ID | Analytic Description |
Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names. |