Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

CurlyShell

CurlyShell is a custom, previously undocumented ELF implant used by the Russia-aligned threat actor Curly COMrades and reported as overlapping with broader GRU/Sandworm-linked activity. It is a C++ malware family built around libcurl and deployed inside a lightweight Alpine Linux virtual machine that attackers hide on compromised Windows 10 systems by enabling Hyper-V and importing a small VM, often disguised as "WSL." Running inside the VM helps evade host-based EDR/XDR visibility while Hyper-V Default Switch/NAT makes outbound traffic appear to originate from the victim host IP.

Its primary function is to provide a persistent reverse shell. CurlyShell runs as a headless background daemon, closes standard file descriptors to suppress output, connects to command-and-control over HTTPS, and executes operator commands via a shell with a 30-second timeout, returning captured stdout/stderr. The malware uses a custom Base64 alphabet, generates a random Base64-encoded value as a PHP session cookie for C2 traffic, and expects the server to echo that value back as part of handshake validation. Reporting also states it allows the threat actor to run encrypted commands.

Persistence is implemented inside the Alpine VM via root cron. A root crontab entry runs /bin/alpine_init at 20 minutes past every fourth hour, and that script launches the CurlyShell binary using nohup with output redirected to /dev/null. In one documented case, CurlyShell was stored at /bin/init_tools inside the VM, with MD5 c6dbf3de8fd1fc9914fae7a24aa3c43d. It has been described as enabling operational stealth and communication alongside the companion implant CurlCat, which can be launched on demand for SSH tunneling and reverse proxying.

The malware has been associated with post-compromise persistence and covert access in intrusions affecting government and judicial bodies in Georgia and an energy distribution company in Moldova, and more broadly with campaigns targeting Western critical infrastructure, especially the energy sector, as well as telecommunications and technology organizations across North America, Europe, and the Middle East. Related tradecraft observed with the same actor includes Kerberos ticket injection into LSASS, Group Policy-delivered PowerShell for local account creation or password resets, and use of additional tunneling tools such as Ligolo-ng, Stunnel, Resocks, and SSH-based methods.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Curly COMrades

Inside the virtual environment, the threat actor hosted its custom tools, the CurlyShell reverse shell and the CurlCat reverse proxy, which enabled operational stealth and communication.

via bleeping computerbleepingcomputer.com
Sandworm

Bitdefender’s reporting : Post-compromise host-based tradecraft (Hyper-V abuse for EDR evasion, custom implants CurlyShell/CurlCat)

via aws security blogaws.amazon.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Other

1 technique
T1562Impair DefensesEvidence1

Bitdefender’s reporting : Post-compromise host-based tradecraft (Hyper-V abuse for EDR evasion, custom implants CurlyShell/CurlCat)

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
bank info securityNews
Dec 16, 2025
Russia's GRU Tied to Critical Infrastructure Cloud Breaches

CurlyShell (also known as CurlCat) is a malware used by Russian GRU-linked threat actors to exfiltrate data and establish covert, long-term access to victim networks. It abuses curl.exe for data transfer and leverages virtualization features (Hyper-V) to create hidden remote operating environments, evading traditional host-based EDR detection.

Read more
govinfosecurityNews
Dec 16, 2025
Russia's GRU Tied to Critical Infrastructure Cloud Breaches

CurlyShell (also known as CurlCat) is a malware used by Russian GRU-linked threat actors to exfiltrate data and establish covert, long-term access to victim networks. It abuses curl.exe for data transfer and leverages virtualization features (Hyper-V) to create hidden remote operating environments, evading traditional host-based EDR detection.

Read more
cso onlineNews
Dec 16, 2025
Russian APT group pivots to network edge device misconfigurations

Custom malware implants used for host persistence by the Curly COMrades subgroup, likely providing backdoor access and control over compromised devices.

Read more
register securityNews
Dec 15, 2025
Amazon security boss blames Russia's GRU for years-long energy-sector hacks

Custom malware implant used by Russian GRU-linked threat actors for persistence and evasion, often deployed in hidden VMs on compromised Windows machines as part of broader espionage campaigns.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.