Full Report
Curly COMrades strike again Russia's Curly COMrades is abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine that bypasses endpoint security tools, giving the spies long-term network access to snoop and deploy malware.…
Analysis Summary
# Threat Actor: Curly COMrades
## Attribution & Identity
**Attribution:** Russia-aligned threat actor.
**Known Aliases and Associated Groups:** Curly COMrades. Bitdefender states the group supports Russian geopolitical interests but has not explicitly linked them to the Russian government.
## Activity Summary
The most recent campaign described began in July 2025. Curly COMrades is abusing the legitimate Microsoft Hyper-V hypervisor on compromised Windows machines to establish a hidden, persistent environment. This environment is a lightweight Alpine Linux-based Virtual Machine (VM) used to run custom malware, effectively bypassing traditional host-based Endpoint Detection and Response (EDR) tools.
Historical activities, documented since 2024, include attacks against judicial and government bodies in Georgia and an energy distribution company in Moldova in August 2025.
## Tactics, Techniques & Procedures
- **VM Isolation for Evasion:** Abusing legitimate virtualization technology (Hyper-V) to host malware execution in a hidden VM, isolating the activity from host-based EDR detection.
- **Hypervisor Configuration:** Executing remote commands on compromised hosts to enable the `microsoft-hyper-v` feature and disable its management interface.
- **Network Evasion:** Configuring the VM to use the Hyper-V Default Switch, causing malicious outbound traffic to egress through the legitimate host's network stack, masking the traffic origin (appears to originate from the host's IP address).
- **Custom Implants:** Deploying two primary custom tools within the VM:
- **CurlyShell (Reverse Shell):** Provides a reverse shell and maintains root-level persistence using a cron job. Connects to C2 over HTTPS.
- **CurlCat (Reverse Proxy):** Manages an SSH reverse proxy tunnel, wrapping outgoing SSH traffic into standard HTTP request payloads.
- **Privilege Escalation/Persistence (Host-level):** Utilizing linked PowerShell scripts to:
- Inject a Kerberos ticket into LSASS for remote authentication and command execution.
- Deploy via Group Policy to create a local account across domain-joined machines for persistent access.
## Targeting
- **Sectors:** Judicial bodies, Government bodies, Energy distribution sector.
- **Geography:** Georgia, Moldova.
- **Victims:** Specific victims were not publicly identified in this latest campaign, though previous targets included government entities in Georgia and an energy company in Moldova.
## Tools & Infrastructure
- **Malware Families Used:**
- CurlyShell (Custom reverse shell)
- CurlCat (Custom SSH reverse proxy)
- **Infrastructure:**
- C2 used in the latest campaign was hosted on a Georgian website (URL defanged).
- Implants are typically written in C++ and built around the `libcurl` library.
## Implications
The sophisticated use of established, legitimate virtualization tools (Hyper-V) to create a stealthy, ephemeral operating environment signals a maturing tradecraft among state-aligned actors. This technique effectively nullifies reliance on signature-based or basic behavioral EDR monitoring, as traffic and execution appear to originate from trusted system processes, necessitating defense-in-depth strategies that monitor for abuse of native system features.
## Mitigations
- Implement a multi-layered, defense-in-depth security strategy rather than relying solely on endpoint detection.
- Focus monitoring efforts on the abuse of legitimate system tools, such as the configuration and execution of virtualization platforms (Hyper-V).
- Monitor for anomalous process execution related to Hyper-V feature enablement/disabling.