In a sophisticated exploitation of virtualization technologies, a cyber threat actor group known as Curly COMrades has advanced its ability to evade security defenses by weaponizing Windows Hyper-V environments. This tactic allows them to conceal malicious operations within a virtual machine (VM), thereby circumventing traditional security measures. Specifically, this group reportedly activates the Hyper-V role on selected victim systems to deploy a lightweight, Alpine Linux-based VM, which occupies minimal resources with a disk space of 120MB and memory usage of 256MB. This VM hosts their custom malware, including a reverse shell called CurlyShell and a reverse proxy named CurlCat.

The initial discovery of Curly COMrades dates back to August 2025 when cybersecurity research linked the group to attacks targeting the nations of Georgia and Moldova. These activities are believed to be ongoing since late 2023, aligning with interests connected to Russia. The group is known for using advanced tools such as CurlCat for data transfers, RuRat for persistent remote control, Mimikatz for credential harvesting, and a modular implant known as MucorAgent, developed in .NET with its beginnings traced back to November 2023.

Further analysis in partnership with Georgia CERT identified additional tools employed by the group and highlighted their efforts to establish long-standing access by exploiting Hyper-V to create clandestine remote operational environments on compromised Windows 10 hosts.

By conducting operations within a VM, Curly COMrades effectively neutralize many host-based Endpoint Detection and Response (EDR) systems that are typically relied upon to identify and thwart unauthorized activities. This method demonstrates their tenacity in maintaining proxy capabilities, as they continuously integrate new tools into their operation framework. Beyond their use of Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and various SSH-based tunneling methods, the group employs several tools, including PowerShell scripts for remote command execution, highlighting their sophisticated technical abilities.

The malware spearheading these efforts is written in C++ and operates as a headless daemon. It connects to a command-and-control server, executing a reverse shell, thereby allowing the attackers to issue commands securely and discreetly. It uses HTTP GET requests to retrieve new commands from the server and HTTP POST requests to send command execution results back to the server. CurlyShell and CurlCat, the two primary malware families used in these operations, share a similar code base but differ in their data management approaches, with CurlyShell executing commands directly and CurlCat facilitating data transfer over SSH.

This ongoing threat emphasis underscores the adaptive strategy of cyber threat actors in leveraging cross-platform virtualization capabilities to challenge and evade contemporary security infrastructures. Their adept use of virtualization not only highlights vulnerabilities within existing technology stacks but also serves as a clarion call for enhanced security measures surrounding virtualized environments and more robust detection methodologies for VM-based threats.