An attacker known as Curly COMrades has been observed exploiting virtualization technology as a way to bypass security solutions and execute custom malware.
According to a new report from Bitdefender, the attackers allegedly enabled the Hyper-V role on selected victim systems and deployed minimal Alpine Linux-based virtual machines.
“This hidden environment had a lightweight footprint (only 120MB of disk space and 256MB of memory) and hosted a custom reverse shell, CurlyShell, and a reverse proxy, CurlCat,” security researchers Victor Vrabie, Adrian Schipor, and Martin Zugec wrote in a technical report.
Curly COMrades was first documented by a Romanian cybersecurity vendor in August 2025 in connection with a series of attacks targeting Georgia and Moldova. This cluster of activities has been active since late 2023 and is assessed to have interests aligned with Russia.
These attacks deployed tools such as CurlCat for bidirectional data transfer, RuRat for persistent remote access, Mimikatz for credential harvesting, and a modular .NET implant called MucorAgent, with early iterations dating back to November 2023.
Follow-up analysis conducted in collaboration with Georgia CERT identified additional tools associated with threat actors alongside attempts to weaponize Hyper-V on compromised Windows 10 hosts and establish long-term access by setting up hidden remote operating environments.
“By isolating the malware and its execution environment within a VM, attackers effectively evaded many traditional host-based EDR detections,” the researchers said. “The attackers demonstrated a clear commitment to maintaining reverse proxy functionality and repeatedly introduced new tools into the environment.”
In addition to using Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods for proxying and tunneling, Curly COMrades employs a variety of other tools, including PowerShell scripts designed for remote command execution and CurlyShell, a previously undocumented ELF binary deployed in virtual machines that provides a persistent reverse shell.
The malware is written in C++ and runs as a headless background daemon that connects to a command and control (C2) server and launches a reverse shell, allowing the attacker to execute encrypted commands. Communication polls the server for new commands via HTTP GET requests and sends the results of command execution back to the server using HTTP POST requests.
“Two custom malware families, CurlyShell and CurlCat, were at the center of this activity, and although they shared a nearly identical code base, they processed incoming data differently. CurlyShell executed commands directly, while CurlCat funneled traffic over SSH,” Bitdefender said. “These tools were introduced and operated to ensure flexible control and adaptability.”
Source link
