“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” the researchers found.
Links to Sandworm and Curly COMrades
According to Amazon’s telemetry, the group’s infrastructure has overlaps with Sandworm, a group also known as APT44 and Seashell Blizzard that’s associated with Russia’s military intelligence agency, the GRU. There are also overlaps with a group whose activity was documented in the past by security firm Bitdefender, under the name Curly COMrades.
However, these could be subgroups within the GRU that work together, with the one tracked by Amazon handling initial access and lateral movement and Curly COMrades handling the host persistence through its CurlyShell and CurlCat custom malware implants.
