Weekly Summary Cyberattacks August 07-13

Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe   

Bitdefender Labs has detailed an espionage campaign by a newly designated threat actor, “Curly COMrades,” assessed to operate in support of Russian interests and active since mid-2024 against critical organizations undergoing geopolitical shifts, including judicial and government bodies in Georgia and an energy distribution company in Moldova. The actor’s core objectives are long-term persistence and credential theft to facilitate lateral movement, data collection, and exfiltration. Operations feature heavy use of proxy relays, primarily Resocks built from obfuscated Go binaries, plus a custom SOCKS5 server, SSH with remote port forwarding, and Stunnel/tstunnel to encrypt TCP traffic, providing multiple redundant entry points and execution channels. Persistence is bolstered by scheduled tasks and services and, notably, by a new .NET backdoor dubbed MucorAgent. MucorAgent’s three-stage design loads a second .NET stage that decrypts and executes a PowerShell payload without invoking powershell.exe, then AES-encrypts and GZIP-wraps output and exfiltrates via curl.exe, masquerading as PNG files and writing results to error.jpg. The group also deploys Remote Utilities (RuRat) as an RMM foothold and uses a bespoke libcurl-linked data shuttler nicknamed “CurlCat” (a GoogleUpdate.exe impostor) that relays STDIN/STDOUT over HTTPS to compromised web servers; 

North Korean Kimsuky Hackers Exposed in Alleged Data Breach   

According to information dated August 11, 2025, the North Korean state-sponsored hacking group Kimsuky has allegedly suffered a data breach after two individuals, self-identified as “Saber” and “cyb0rg,” infiltrated their systems and publicly leaked internal data. The hackers, who claim to oppose Kimsuky’s politically driven operations, released part of the group’s backend in the latest issue of the hacker magazine Phrack, distributed at DEF CON 33. They accused Kimsuky of working for financial and political gain rather than pursuing hacking as an independent craft. The leaked 8.9GB dataset, now hosted on the Distributed Denial of Secrets website, includes phishing logs targeting South Korean government and military email domains, a full source code archive of South Korea’s Ministry of Foreign Affairs “Kebi” email platform, curated lists of professors and citizen certificates, phishing toolkits, and unknown malicious binaries. Additional data reveals Cobalt Strike loaders, reverse shells, Onnara proxy modules, Chrome history tied to suspicious GitHub accounts, VPN purchase records, Bash histories showing SSH connections to internal systems, and browsing of Taiwanese government and military websites. Many elements had been partially known, but the leak interconnects tools, infrastructure, and campaigns, potentially compromising Kimsuky’s ongoing operations. While experts note the long-term effect on the group may be limited, the breach is expected to disrupt active campaigns and burn operational assets. The online version of Phrack #72 is expected to be available in the coming days.  

New EDR Killer Tool Used by Eight Different Ransomware Groups   

Security researchers have uncovered a sophisticated new Endpoint Detection and Response (EDR) killer tool actively used by at least eight different ransomware groups, including RansomHub, Blacksuit, Medusa, Qilin, DragonForce, Crytox, Lynx, and INC. Designed to neutralize endpoint protection before encrypting files, the tool represents a major advancement in coordinated offensive capabilities among otherwise competing ransomware operations. Since 2022, the use of EDR-disabling malware has grown, with many variants purchased from underground markets and then obfuscated using commercial Packer-as-a-Service platforms like HeartCrypt. While each ransomware gang used its own build, the adoption of the same proprietary EDR-killing approach and the HeartCrypt service indicates at least some level of coordination or common supplier within the ransomware ecosystem. Researchers warn that this collaboration complicates defensive strategies, as the tool’s capabilities and delivery methods continue to diversify. Indicators of Compromise (IOCs) have been published on the researchers’ GitHub repository.  

Royal and BlackSuit Ransomware Gangs Hit Over 450 US Companies   

According to information dated August 7, 2025, U.S. law enforcement agencies, in coordination with international partners, have confirmed the successful dismantling of the BlackSuit ransomware gang’s critical infrastructure, responsible for racking up over $370 million in ransom payments. The takedown, led by ICE’s Homeland Security Investigations (HSI) Washington, D.C., targeted servers, domains, and digital assets used by the group to deploy ransomware, extort victims, and launder illicit proceeds. BlackSuit is recognized as the direct successor to the Royal ransomware group, active since 2022 and linked to over 450 known victims in the United States, including entities in healthcare, education, public safety, energy, and government sectors. Both groups operated using double-extortion tactics, encrypting victims’ systems and threatening to leak stolen data to maximize pressure for payment. The operation, codenamed Operation Checkmate, was coordinated by Europol’s Joint Cyber Action Task Force and involved cooperation from the FBI, IRS Criminal Investigation’s Cyber Crimes Unit, Europol, the U.K.’s National Crime Agency, Germany’s Landeskriminalamt Niedersachsen, Ireland’s An Garda Síochána, Ukraine’s National Police Cyberpolice Department, Lithuania’s Criminal Police Bureau, France’s Office Anti-Cybercriminalité, and Canada’s Royal Canadian Mounted Police and Delta Police Department, among others. The case is being prosecuted by the U.S. Attorney’s Office for the Eastern District of Virginia, with ongoing international collaboration to pursue legal accountability for the operators behind the Royal and BlackSuit campaigns. Officials stressed that the disruption not only removed malicious infrastructure but also struck at the financial and operational backbone of a group persistently targeting U.S. critical infrastructure, aiming to prevent further victimization of businesses and essential services worldwide.  

Multiple Flaws Found in TETRA Radio Systems, Exposing Law Enforcement, Military, and Critical Infrastructure Communications   

Nine unknown vulnerabilities were disclosed affecting the Terrestrial Trunked Radio (TETRA) standard and equipment used globally by law enforcement, military units, and critical infrastructure operators. The research reveals three vulnerabilities in the End-to-End Encryption (E2EE) layer (an additional protection mechanism typically used for the most sensitive communications, such as those involving intelligence agencies, special forces, and covert units), and six other weaknesses impacting both the TETRA standard and vendor devices. The E2EE vulnerabilities, discovered by reverse-engineering Sepura Gen 3 devices (such as the SC20 series), include CVE-2025-52941, a weakened algorithm that reduces AES-128 encryption keys to 56 bits and can be broken with modest computing power; CVE-2025-52940, enabling injection or replay of arbitrary voice traffic; and CVE-2025-52942, allowing replay of text messages without detection. These flaws can severely compromise confidentiality and authenticity of communications, downgrading security to the already-compromised AIE layer.