CyberWire Daily - Sunny-side spyware. [Research Saturday]
Episode Date: September 27, 2025This week, we are joined by Martin Zugec, Technical Solutions Director from Bitdefender, sharing their work and findings on "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Mil...itary Company. A newly identified Chinese APT group has been observed deploying a sophisticated, fileless malware framework called EggStreme against a Philippine military company. The multi-stage toolkit uses DLL sideloading and in-memory execution to evade detection, with its core backdoor, EggStremeAgent, enabling reconnaissance, lateral movement, keylogging, and data theft. Researchers note the campaign’s persistence and stealth highlight professional, geopolitically motivated espionage activity linked to Chinese national interests. The research can be found here: EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the highest RR.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
Hello everyone and welcome to the Cyberwires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking
down the threats and vulnerabilities, solving some of the hard problems and protecting
ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
Is it new activity, is it existing activity?
Is it a cluster of victims or is it isolated case?
So in the case of curly comrades, we started tracking this group in mid-2020.
That's Martin Zujik, technical solutions director at Bit Defender.
The research we're discussing today is titled Curly Comrades,
a new threat actor targeting geopolitical hotbeds.
It's one of those things that people probably don't know.
Research like this very often takes months.
So it's normal when you see it released, let's say, half a year later.
That's perfectly fine because we are documenting all the tools they are using, all the
servers, the complete infrastructure.
We try to get as complete picture as possible before we publish this data.
So it's always decision, do we want to release this?
as soon as possible so all the potential victims are informed or do we wait a little bit longer
because then we can discover and publish more information and provide more complete picture.
Yeah. Well, how about the name itself? I mean, curly comrades, that's a clever naming here.
I love the name personally. And there are two reasons because we always have a couple of different names
that we can choose from.
With Curly Comrades,
I think it is smart name for two reasons.
The first reason is it is actually really reflecting
the technical details about this threat actor group.
They like to use Curl.XZ a lot.
And at the same time,
one of the most interesting techniques
that we noticed for the persistent access
was hijacking the com objects
for the engine.
So that's where the curly comrades, the COM, is capitalized, is technically coming from.
The second part of the story is I feel we as a security industry are doing kind of disservice
by glamorizing the cybercrime in many cases, picking up the names that sounds like really fancy and cool.
So what we also wanted to do is we just wanted to point out.
that these guys are not cool.
They are cybercriminals.
So we really wanted to find also the name
that would reflect what we think about them,
if it makes sense.
Yeah, it does.
Well, tell us what particular regions and sectors
that they seem to be targeting
and what their motivations seem to be.
So the motivation, as we've seen through all the tactics, techniques,
everything they were going after
is long-term data exploration.
So for us, this is,
is one of the APT groups.
We've seen them actually attacking multiple victims.
So the research that we published, it is not based on a single victim.
As I said, we spent months monitoring and documenting what this group is doing.
But what we observed their focus is, is they are targeting countries where there are geopolitically
halfway between Russia and Europe at this moment.
So we've seen them targeting judicial and government bodies in Georgia,
another one in the U.S., the one in the borders between Russia and Europe.
We've seen them targeting energy distribution company in Moldova.
But one of the highlights for us was also that they used large network of legitimate but
compromised websites as traffic delays.
We documented some of them, but we believe there must be a lot more.
So that also tell us this APT that what we've seen, even though we documented quite a lot of it,
is probably just a small part of a much larger network of compromised web infrastructure they use.
So what I'm trying to say, the total number of victims is definitely significantly higher than what we've seen.
Well, can you walk us through what a typical engagement looks like?
I mean, when curly comrades sets their sights on someone, how does it usually go down?
Yes, so I would say, and again, this is something that is very common.
We don't have any insights into initial access method they used.
And that is very common.
Again, it's forensic investigation.
It's not like in the movie where you know exactly like every single step would happen and there are no gaps.
In many cases, there are big gaps.
We try to figure them out by looking at other victims, collecting more data.
So, that is part of the reason why research like this really take a lot of effort and time.
So, initial access, in many cases, we don't know and we will never know.
Yeah.
We tread the activity actually to, I want to say, 23.
So here is an important thing.
We started monitoring them from mid-20204,
but during forensic investigation,
you are looking at everything that happened before that date.
So looking at all these artifacts that we were discovering,
making sure that we are aware of the time-stomping technique
where they are trying to confuse us.
The earliest date that we found was November 2023 when they were active.
So, again, we don't know initial acceptance.
when it happened, but we can track that they've been active for a long time.
Now, what Trigger does here is that we detected an attempt to deploy a resource client,
which is not unusual. It's open source projects.
So BedeFender team just started investigating it and quickly found out this is much bigger than
just some isolated action. We found more compromised machines, credentials, started putting
everything together. We've seen this threat act.
have been really focused on proxying their access
and making sure they have multiple ways
how to get back to the victim
if they would be discovered and kicked out.
So we found a resource tunnel that I mentioned before,
but we also found the custom Sox 5 server
on one of the internet-facing host.
That was one of the alternative entry points.
And later on, we discovered there were attempts
to build multiple tunnels between the victim-nation.
and infrastructure of the threat actors using tools like SSH or S-Tunnel.
So that was something that we've seen as kind of the persistent effort to regain access
was a very common tactic of APT groups, including this one.
Can we dig into their persistence here?
The research talks about, I believe it's called Mukor agent to help them stay hidden.
What's going on there?
Yeah, so the MOOCOR agent was definitely the highlight for me personally.
We found it on multiple systems.
So this was one of the tools that they've, that was like part of the core toolkit they've been using.
It's written in dot net and it executes PowerShell, something that we are seeing happening
with APT groups quite a lot.
What was the most interesting for us was the way,
this Mucor agent is activated.
It's really, we try to find anyone referencing anything similar, but we couldn't find any research.
So as far as I know, we are the first one documented this.
So what they are doing is the following.
The first step in the attack, there are multiple components of this Mucor agent.
The first step is they are using the dotnet assembly that is going to hijack
the com handler.
Now, if you've never been dealing with the com object,
congratulations, I spent many years
fighting with the DLL hell back in my early days.
So this is the stuff of nightmares.
This is the really complicated way
how Windows sometimes execute the code
instead of executing the binary,
they just called the class ID
that might call another class ID execute something.
To be, I don't be, like, there are hundreds or maybe thousands of class IDs that are part of the com on a typical window system.
Don't hold back, Mark. Don't hold back.
Yeah, this was again, like, I had night back in the days in 2000s, I had nightmares about this.
I see.
We'll be right back.
CISO Perspectives is back with an all-new season.
This season is all about change, whether it be emerging technologies like AI, shifting governmental roles, or evolving threats.
We are sitting down with security experts and getting their insights to help you make sense of these changes.
We are part of a larger ecosystem, and if you look at the largest cyber incidents, they have massive downstream effects.
I'm Ethan Cook, editor of CISO perspectives at N2K CyberWire.
This week, hosts Kim Jones with his first guest, Ben Yellen, to discuss the current state of regulation.
Absolute security, by definition, is an oxymoron.
I can secure you absolutely if you shutter your doors,
wipe your computers, wrap them in Lusite,
and drop them in the manor-nast trench.
But then again, you aren't going to make no money.
Sissau Perspectives is an N2K Pro exclusive show.
But for this season, we're sharing the first two episodes free on the Cyberwire Daily.
To hear the full season, visit thecyberwire.com
and click on subscribe now to become an N2K pro member.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasek AI conference,
the premier event for cybersecurity data and AI leaders, hosted by data security leader, Sierra.
Built for the industry, by the industry, this two-day conference is where real-world insights and bold solutions take center stage.
Datasek AI 25 is happening November 12th and 3rd.
13th in Dallas. There's no cost to attend. Just bring your perspective and join the conversation.
Register now at Datasek AI 2025.com backslash cyberwire.
Investigating is hard enough. Your tools shouldn't make it harder. Maltigo brings all your
intelligence into one platform and gives you curated data, along with a full suite of
tools to handle any digital investigation.
Plus, with on-demand courses and live training,
your team won't just install the platform.
They'll actually use it and connect the dots so fast,
cybercriminals won't realize they're already in cuffs.
Maltigo is trusted by global law enforcement,
financial institutions, and security teams worldwide.
See it in action now at Maltigo.com.
So what they are doing is that they choose one of these many, many com objects
with CLSID, the class ID that I'm not going to say, it's 16 characters and so.
And they just change the target of that com object.
Instead of pointing to the normally executed.net framework that would be triggered.
It was actually running the Mucor agent.
So that is step number one.
Essentially, they just redirected if something will try to run part of the dot-net framework.
Instead of running the target, it's going to run malicious code.
That's one.
Now, the bigger question is, how is this com handler actually triggered?
What is going to do it?
And here comes the really smart part where they are using scheduled task for this
that is disabled by default.
default.
So if you are looking at everything that is starting, for example, at a startup of
machine, you are not going to look at this one because, again, it's disabled, it's not
executed.
The scheduled task is responsible for something called engine.
In dotnet framework, dotnet framework comes, it's not compiled code.
So what happens on every single machine, when you execute dotnet code for the first time,
it's turning into something called IL,
which is language that's optimized on execution on that specific machine.
Now, you can kind of also pre-compile all this dot-net code,
so it just executes faster.
Again, coming back from my background,
I used to deal with this a lot when we were optimizing execution
on large farms of servers.
So, really what you are doing is that you are just pre-compiling the dot-net code.
Now, when this is happening, is at very specific times, you install new dot-net that can trigger
this pre-compilation of the code.
You install new application, this can trigger pre-compilation of the code.
Sometimes it is optimization, but it happens at really very random intervals.
What the operating system is doing in that case is this.
that it will just enable the scheduled task.
And the trigger for the schedule task is not on startup, log-on,
or specific time, as it's usual.
The trigger here is on idle.
Essentially, you are telling the machine,
hey, I need you to pre-compile all the dot-net code that you have here
and just do it anytime it's good time for you.
If you are not busy doing something,
that's when you can start.
This dot-net pre-compilation
is going to pre-compile all the code
and when it's done, it will go back
and disable this scale task again.
And then at random time interval,
it's not specified in any way.
Again, operating system can decide
I want to trigger this native image generator,
that's the engine.
So it will enable it again
and it's completely unpredictable for you.
First of all, when it's going to be enabled,
but also when it's going to be executed
and after it's done
it is disabled again
so it looks to you as if it was never executed
before you and that is
how the Mucor agent is working
so again
not only it is hijacking
one of the con classes that are
completely hidden in like
thousands of different registry keys
behind the 16
digit long string
that is the first part
of it but is also the
second, how is this triggered? How is this loaded? That's also smart because it's relying on
the schedule task that is disabled, but just appears to be disabled, but it actually executes.
So, is it fair to say that this operation is fairly sophisticated?
Yeah, absolutely. So as I was mentioning, this was the first part. There was a lot that we
documented. This was what caught our attention, but there was a lot more seeing. And again,
The infrastructure that was used, downloading some malicious code, used as the commandant as the C2 server, for example, for communication, most of it were not malicious sites.
Almost all of it were legitimate sites that were just compromised and redesigned to be part of this network.
So, again, that is one of the best signs that we have telling us, like, this is much more advanced operation.
They stayed stealthy under the radar for very, very long time.
So, yeah, it's much bigger than what we are seeing today.
What about resilience?
I mean, when defenses spring up, how do they respond to that?
That is very common.
And so they used multiple methods how to get back inside if they are kicked out.
That is very common for these APTs.
The last activity that we investigated,
they really, they did something that we are seeing doing all the cybercriminals,
whether they are financially motivated or state affiliated.
They are switching less and less to use malware,
and they are switching more to use normal common binaries.
So, for example, in the case of curly comrades,
we've seen them using different tools in the past,
but the last incident, and I don't see the date here or time,
but this was the last one we investigated,
They used SSH and they used the TS Tunnel that is part of the S Tunnel suite for encryption of the TCP traffic.
So it's really obfuscating the SSH communication and evading the network-based mechanisms in this case.
But again, as with many of these groups, they used multiple tools, multiple endpoints, multiple gateways inside the system.
So, again, all these operations are usually very sophisticated.
This is not an exception.
Yeah.
So given everything that you've collected here about this group, what are your recommendations?
How should organizations best defend themselves?
So if I look at everything we documented for the TTPs,
and I will also give more general recommendation, the first one is more.
Most of these investigations we are doing, we are seeing two big problems.
The first one is that the victim doesn't have EDR or XDR.
We are dealing a lot more today with all the modern threat actors.
We are dealing a lot more with suspicious behavior, not clearly malicious.
So you really need to have the tools that will go through this noise and highlight for you,
these are the things you should investigate.
it's really good to think about it.
It's no longer binary, just this is bad or this is good.
It's all about percentages.
We are 60% sure this is suspicious.
So having really good EDR, XDR, that doesn't provide, doesn't generate like too much
noise, it's still actionable.
One of the best things, how to detect, how to minimize the time when the threat
actors are on your network.
So that would be one.
And again, in many investigations, we are just seeing.
these tools are not deployed.
The second one
that we see very often
are operational gaps.
And what I mean by this is
some companies
will buy EDR-XDR solutions
and then at the end
all they are going to do is they
will just think that
that is the tool that will solve the problem.
But if you think
about it, EDR-XDR
is not really that useful
if you don't have
have your own security operations.
So having your own sock that is stuffed properly, trained properly,
is the combination of process, people, and tools, then if you don't have these people
looking at those alerts and triaging, then you will end up in a situation that we've
seen many, many times where after investigation like this, we can conclude there are red flags
all over the place and no one was just responding to them.
I'm not saying this particular investigation,
but more broadly what we are seeing in our research.
So again, make sure you have the tools that will highlight to you
suspicious activity on the network, on endpoints, on servers in the cloud,
and also you have the people that can respond to it,
whether it's the SOC or is the managed detection and response services that you can use.
The last recommendation I would do is,
make sure that you are keeping up with the latest research.
I mentioned it during our conversation.
We are seeing a lot more of the living of the land attacks.
We are seeing all kinds of cybercriminals transitioning from using specialized tool
to just using whatever is available on those systems.
APTs are one of the last groups where at the end,
they usually rely on the custom malware that's really hard to detect.
But again, even them, they are using these tools.
They are using legitimate remote monitoring and management, RMM tools.
So we see all these cyber criminals adopting the playbook
where they just use what is available on the system
and they don't really bring anything new
that can be easily detected on the network.
So be aware of Lulbin's, be aware of RMM abuse by these trade actors.
Our thanks to Martin Zujek from Bit Defender for joining us.
The research is titled Curly Comrades, a new threat actor targeting geopolitical hotbeds.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms,
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual data.
Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day connecting founders, investors, and researchers around breakthroughs
in cybersecurity. It all happens November 4th in Washington, D.C. Discover the startups building
the future of cyber. Learn more at c.d.d.d.d.com.com.
Thank you.