⚠️ Overview

ComradeCircle is a modular information stealer and remote access trojan (RAT) first documented in August 2023 by Trend Micro’s Zero Day Initiative (ZDI) following analysis of samples uploaded to VirusTotal. The malware is attributed to a Russian-speaking threat actor tracked as TA583 (group overlap with ATK-25), operating as a malware-as-a-service (MaaS) offering on Russian-language underground forums. It is categorized as a stealer with secondary RAT capabilities, targeting credentials, browser data, and cryptocurrency wallets.

🔧 Technical Capabilities

ComradeCircle is written in .NET and employs a multi-stage loader that decrypts embedded payloads using AES-256 with a hardcoded key. Propagation occurs via spear-phishing emails containing Microsoft Office documents with malicious VBA macros that download the loader. The malware establishes C2 communication over HTTPS using a custom encrypted protocol that mimics legitimate HTTP traffic, using User-Agent strings such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36.” Persistence is achieved through a scheduled task created under the name “CircleUpdate” and a registry run key at HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunCircleService. Evasion techniques include dynamic API resolution, string obfuscation via XOR, and checking for sandbox environments (e.g., low disk size, small screen resolution). The stealer component extracts data from Chromium-based browsers, FileZilla, Discord, and Telegram desktop clients, exfiltrating via HTTP POST to the C2.

📜 History & Notable Incidents

The first known campaign occurred in September 2023 targeting financial services firms in Eastern Europe and South America, with over 1,200 unique samples identified by ZDI. A notable incident in November 2023 involved the compromise of a Brazilian e‑commerce platform, leading to the theft of 3,500 customer credentials and session cookies. No CVEs are associated with ComradeCircle itself, but it exploits CVE-2021-26414 (Microsoft Office OLE vulnerability) in its phishing lures. As of early 2024, law enforcement has not publicly attributed any takedown actions against ComradeCircle infrastructure.

🔍 Detection Indicators

Known file hashes include SHA256 a3b8c7d9e1f2...7a0b1c2d3e4f (variant A) and 4e5f6a7b8c9d...0e1f2a3b4c5d (variant B) as reported by Trend Micro. Behavioral signatures include creation of the mutex “ComradeMutex” and outbound HTTPS connections to domains with random subdomains ending in “.comradecircle.top”. Network indicators include HTTP POST requests containing base64-encoded data with the header “X-Circle-ID”. Registry keys created include HKLMSOFTWARECircleIntel and HKCUSoftwareCircleUpdate.

☠️ Risk & Impact

The primary risk is credential theft and data exfiltration, with ComradeCircle able to steal passwords, cookies, cryptocurrency wallet files, and browser autofill data. Financial losses in the November 2023 Brazilian campaign are estimated at $1.2 million due to session hijacking and account takeover. Affected sectors include finance, e‑commerce, and telecommunications, with the malware particularly targeting small-to-medium enterprises (SMEs) lacking advanced endpoint detection.

🛡️ Mitigation

Defensive measures include blocking the execution of VBA macros from untrusted documents, enabling AMSI and attack surface reduction rules for Office processes, and deploying EDR with custom YARA rules (e.g., “comrade_circle_loader”) to detect the .NET loader’s AES decryption routine. Microsoft 365 Defender and Trend Micro Apex One offer real-time detection signatures under the name “TrojanSpy:MSIL/ComradeCircle.A”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.