Russian-linked threat actor Curly COMrades has been observed employing a sophisticated evasion technique by leveraging virtualization technologies to bypass security defenses and deploy custom malware. This innovative approach allows the group to establish a hidden operational environment, making their malicious activities harder to detect and disrupt.
According to a recent report by Bitdefender, the threat actor has been actively exploiting the Hyper-V role on compromised Windows systems to create a minimalist, Alpine Linux-based virtual machine. This isolated environment serves as a staging ground for their custom malware, including a reverse shell and a reverse proxy, effectively masking their presence from traditional security solutions.
Curly COMrades Exploits Virtualization for Covert Operations
The threat actor collective, identified as Curly COMrades, was first documented in August 2025, with activity traced back to late 2023. Their operations are assessed to be aligned with Russian state interests, targeting countries like Georgia and Moldova. Initial campaigns involved deploying an array of tools for data exfiltration, persistent access, and credential harvesting, including CurlCat, RuRat, Mimikatz, and the modular .NET implant known as MucorAgent.
A subsequent analysis, conducted in collaboration with Georgia CERT, revealed additional tools and a more advanced operational strategy. Curly COMrades began weaponizing Hyper-V on compromised Windows 10 hosts, establishing a hidden remote operating environment designed to ensure long-term access and persistence.
Sophisticated Evasion via Hyper-V Virtualization
The core of this new evasion tactic lies in the isolation of malicious activities within a virtual machine. By enabling Hyper-V and deploying a lightweight Alpine Linux VM, threat actors can run their malware and command-and-control infrastructure away from the scrutiny of host-based endpoint detection and response (EDR) solutions. This strategy significantly reduces the chances of detection by traditional security monitoring tools.
The researchers highlighted the threat actor’s dedication to maintaining a robust reverse proxy capability. This was evidenced by their consistent introduction of new tooling into the virtualized environment, aimed at ensuring flexible control and operational adaptability. The VM’s small footprint, requiring only 120MB of disk space and 256MB of memory, further contributes to its stealthy nature.
Custom Malware and Proxy Tooling
At the heart of Curly COMrades’ operations are two custom malware families: CurlyShell and CurlCat. While sharing a near-identical codebase, these tools differ in their specific functions. CurlyShell acts as a persistent reverse shell, executing commands directly after establishing a connection to a command-and-control (C2) server. CurlCat, on the other hand, functions as a reverse proxy, funneling traffic through SSH to relay data and commands.
Communication between the malware and the C2 server is achieved through HTTP GET requests to poll for new commands and HTTP POST requests to transmit execution results. Beyond their custom creations, Curly COMrades has also utilized a variety of other proxy and tunneling tools, including Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and various SSH-based methods. A PowerShell script for remote command execution has also been observed as part of their toolkit.
Implications for Network Security
The reliance on virtualization technologies by threat actors like Curly COMrades presents a significant challenge for network security professionals. Traditional detection methods that focus on host-level anomalies may struggle to identify malicious activity concealed within a separate virtualized operating system. This approach necessitates a shift towards more advanced detection strategies, potentially involving network traffic analysis and behavioral monitoring within virtualized environments.
The continuous development and deployment of custom malware underscore the adaptive nature of advanced persistent threats. Organizations must remain vigilant and continuously update their security postures to counter evolving evasion techniques. The ability of Curly COMrades to maintain covert operations through carefully orchestrated virtualization exploitation points to a growing trend in sophisticated cyberattacks.
Moving forward, security researchers will likely focus on developing more effective methods to detect and analyze activity within these hidden virtual machines. Continuous monitoring of network traffic patterns originating from and directed towards virtualized environments will be crucial. The ongoing evolution of this threat actor’s tactics suggests a persistent focus on maintaining covert access, making it imperative for defenders to adapt and innovate in response.