Key Takeaways
- The Actor: Russian-linked group "Curly COMrades."
- The Tactic: Hiding malware inside a covert Alpine Linux VM running on compromised Windows hosts.
- The Tools: Custom tools CurlyShell and CurlCat used for reverse shell and proxying.
- Detection: Extremely difficult for traditional EDR as traffic is routed through the host network stack.
Researchers have uncovered a sophisticated espionage operation attributed to a Russian-linked group known as Curly COMrades. According to recent analysis by Bitdefender, in collaboration with Georgia’s national CERT, these attackers have been using an advanced technique to hide their malware inside covert virtual machines running on compromised Windows systems.
How do they hide the malware?
Once the attackers obtain remote access, they enable Microsoft Hyper-V, conceal its management tools from the host, and silently deploy a tiny Alpine Linux virtual machine. Despite requiring only minimal resources, this VM contains two custom malicious tools: CurlyShell, a reverse shell, and CurlCat, a reverse proxy.
All malicious activity occurs inside this hidden environment, while network traffic is routed through the host’s normal network stack. As a result, the compromise remains largely invisible to traditional endpoint detection and response tools, which usually monitor only the host’s processes and behaviours.
What other persistence techniques are used?
The campaign goes further than just virtual machine-based stealth. The attackers also deploy additional persistence and credential abuse mechanisms on the Windows host itself. They use PowerShell scripts to inject forged Kerberos tickets into the LSASS process, giving them authenticated access throughout the network. In some cases, they create persistent local accounts through Group Policy on domain-joined systems, allowing long-term control even if initial access is lost.
Who are the primary targets?
Bitdefender reports that Curly COMrades has been active since at least 2024, with previous operations targeting government institutions, courts, and energy sector organisations across Georgia and Moldova. The new tactic of embedding malware inside hidden virtual machines represents an escalation in their operational sophistication.
Why is this difficult to detect?
This development has serious implications for cybersecurity teams. Because the malicious code runs inside a virtualised environment, most conventional endpoint tools are effectively blind to it. Outbound traffic appears normal, logs show little evidence of tampering, and the host operating system may look entirely clean.
New defensive approaches required
Detecting such threats requires new defensive approaches, including monitoring for unexpected activation of virtualisation features, watching for unusual network traffic patterns, and correlating signs of lateral movement and persistence that cannot be tied to visible host processes.
Incident Response
Thomas Murray’s incident response team is trained to respond quickly and efficiently to incidents and help your business get back on track.
Insights
Schrodinger’s Hack- or How HSBC Was(n’t) Hacked
When a bank is hacked it can quickly generate extensive news coverage. And recent events have shown that even when a bank isn’t hacked it can still generate significant column inches – threatening reputational damage.
Do not go (Micro)softly into that good night: Are we at a technology tipping point?
There’s a strong possibility that we’re now collectively at a technology crossroads in Europe because of a potential move away from Microsoft.
Nursery cyber attack shows there is no honour amongst thieves
The news that a gang of cyber criminals is threatening to publish the details of around 8,000 children is one of the starkest cyber incidents of 2025.
Co-op Reveals £80m Profit Hit: What are the Lessons for UK Retail?
Edward Starkie, a Director in Thomas Murray’s cyber security business, gives his reaction to the latest news from the historic British brand.