Russia’s Curly COMrades is abusing Microsoft’s Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine that bypasses endpoint security tools, giving the spies long-term network access to snoop and deploy malware.
“This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat,” Bitdefender senior security researcher Victor Vrabie said in a Tuesday report.
The Romanian security shop, working with the Georgian Computer Emergency Response Team (CERT), uncovered this latest malware-delivery campaign. It reveals how the crew exploits legitimate virtualization technologies – in this case, Hyper-V – to bypass endpoint detection and response (EDR) products.
“By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections,” Vrabie wrote.
Bitdefender has been tracking Curly COMrades since 2024, and has said it supports Russian geopolitical interests, but has not explicitly linked it to the Russian government. In August, the research shop documented the group’s attacks against judicial and government bodies in Georgia, plus an energy distribution company in Moldova.
This latest campaign began in July. Bitdefender has not publicly identified the victims – we’ve asked and will update this story if we hear back – but said the Russian crew executed remote commands on two computers to enable the microsoft-hyper-v virtualization feature, while disabling its management interface. A few days later, they downloaded a lightweight Alpine Linux-based VM containing their custom malware.
The crims configured the VM to use the Default Switch network adaptor in Hyper-V to ensure that the VM’s traffic travels through the host’s network stack using Hyper-V’s internal Network.
“In effect, all malicious outbound communication appears to originate from the legitimate host machine’s IP address,” Vrabie wrote.
The VM contained two custom implants: CurlyShell, which is new, and CurlCat, which Bitdefender documented in its August report. Their code is largely identical, written in C++ and built around the libcurl library.
CurlyShell runs without being detected inside the Alpine environment. It provides a reverse shell and uses a cron job that executes on a regular basis for root-level persistence. It connects to the command-and-control (C2) server over HTTPS.
In this campaign, the attackers used a Georgian website for C2.
CurlCat doesn’t maintain system persistence but manages the SSH reverse proxy tunnel. It wraps all outgoing SSH traffic into standard HTTP request payloads, which allows the spies’ network traffic to appear legitimate.
In addition to the custom malware, the researchers’ analysis found two types of Curly COMrades-linked PowerShell scripts. One injects a Kerberos ticket into LSASS, allowing the attackers to remotely authenticate and execute commands. The other, deployed via Group Policy, creates a local account across domain-joined machines for persistent access.
“The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation,” Vrabie wrote.
Some of them – especially ransomware gangs – are also incorporating EDR killers into their malware arsenal to bypass endpoint security.
To counter this, Bitdefender and other security experts recommend using a multi-layered, defense-in-depth security strategy rather than just relying on threat detection at endpoints, which typically doesn’t pick up on the abuse of native system tools and legitimate products.
The security shop also published a full list of Curly COMrades indicators of compromise on its public GitHub repository, so give that a read as well. ®
