RuRat is described in the provided content as a legitimate Remote Monitoring and Management (RMM) program used by the threat actor Curly COMrades for persistent remote access on compromised systems. In the observed campaigns, Curly COMrades targeted entities in Georgia and Moldova, including judicial and government bodies in Georgia and an energy distribution company in Moldova, with activity assessed as aligned with Russian interests. RuRat was deployed alongside other tooling including CurlCat for bidirectional data transfer, Mimikatz for credential harvesting, and the modular .NET implant MucorAgent for persistent access. The content characterizes RuRat specifically as a persistence and remote-access tool within this intrusion set. The initial access vector is stated to be unknown. No RuRat-specific indicators of compromise are provided in the content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RuRat is used by Curly COMrades for persistent remote access to compromised systems.
RuRat is a legitimate RMM tool abused by threat actors for persistent remote access to compromised systems.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.