Ddos 
In collaboration with the Georgian CERT, researchers from Bitdefender have uncovered a new wave of cyber-espionage activity conducted by a Russian-aligned threat group known as Curly COMrades, which leverages Microsoft Hyper-V virtualization to establish stealthy, persistent access within compromised networks.
According to the report, “The most notable finding in this campaign is the exploitation of legitimate virtualization technologies, demonstrating how threat actors are innovating to bypass standard EDR solutions as they become commodity tools.”
This operation, which began in July 2025, targets organizations in Eastern Europe and the Caucasus region, and represents a major escalation in the use of virtualized malware environments to evade detection.
Bitdefender’s analysis revealed that Curly COMrades enabled the Hyper-V role on compromised Windows 10 hosts and deployed a lightweight Alpine Linux virtual machine that served as a covert command-and-control (C2) hub.
“The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat.”
This technique allowed the attackers to operate entirely within a virtualized enclave invisible to host-based endpoint detection and response (EDR) tools.
“By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections.”
The virtual machine was disguised under a deceptive name “WSL” — mimicking Windows Subsystem for Linux — to avoid suspicion from administrators. Bitdefender emphasized that despite this naming, “this VM is a fully isolated Hyper-V instance, entirely separate from and outside of the standard Windows Subsystem for Linux framework.”
Within the hidden VM, researchers found two custom malware families — CurlyShell and CurlCat — designed for persistence and remote control.
CurlyShell, the primary reverse shell implant, maintained continuous communication with attacker infrastructure through HTTPS, while CurlCat acted as a reverse proxy using SSH over HTTP encapsulation.
“CurlyShell provides a persistent reverse shell, while CurlCat manages traffic tunneling, giving the threat actor robust network access and the ability to execute commands remotely.”
Both tools were coded in C++ using the libcurl library and implemented a non-standard Base64 transformation to disguise network traffic.
“This custom character set is used by encoding and decoding methods… to perform a non-standard Base64 transformation. The purpose is to evade tools expecting the standard alphabet.”
In practice, CurlyShell’s function was to execute commands from the C2, while CurlCat relayed encrypted SSH data, enabling long-term persistence with minimal forensic footprint.
Beyond virtualization, the attackers also relied heavily on PowerShell scripts to maintain persistence and lateral movement.
Bitdefender analysts found a custom Kerberos Ticket Injector script named kb_upd.ps1, which could manipulate Kerberos tickets within the LSASS process for authenticated remote access:
“The threat actor’s customized tooling is nicely illustrated by a script… designed to load and inject a Kerberos ticket into LSASS, enabling authentication to remote systems and execution of commands.”
Another script, deployed via Group Policy, created or reset local user accounts to ensure long-term persistence — even if defenders changed passwords or removed users.
“Found at c:\Windows\ps1\screensaver.ps1, the script reset the password of the local account user, creating the account if it did not already exist — likely as a persistence mechanism.”
This persistence strategy reflects a layered approach that combines domain-level abuse with local account manipulation, making cleanup significantly harder for incident responders.
Bitdefender credits its breakthrough to a joint investigation with the Georgian CERT, which provided critical evidence from a compromised web server being used as a proxy for the attacker’s C2 infrastructure.
Their analysis revealed sophisticated iptables rules that redirected only specific victim traffic to attacker-controlled SSH services, while leaving all other web activity untouched.
Such precise network filtering, combined with the use of fake TLS certificates, enabled the attackers to maintain low-visibility, encrypted communications that blended seamlessly with normal HTTPS traffic.
Related Posts:
- Microsoft Unveils a New Tool to Help Businesses Ditch VMware for Hyper-V
- “Curly COMrades” Group Unmasked: Russian Threat Actors Deploy New Backdoor in Geopolitical Espionage Campaign
- Massive Ad Fraud Campaign Deployed 331 Apps, Resulting in 60 Million Downloads
- Patch Tuesday: Microsoft Fixes 86 Flaws, Including 9 Critical and 2 Zero-Days (CVE-2025-55234 & CVE-2024-21907)
Donate