The Russian-linked threat group Curly COMrades has been observed leveraging Microsoft's Hyper-V hypervisor on compromised Windows systems to deploy a concealed Alpine Linux-based virtual machine. This hidden VM, occupying only 120MB of disk space and 256MB of memory, is used to host custom malware tools including the CurlyShell reverse shell and the CurlCat reverse proxy, enabling the attackers to bypass traditional endpoint detection and response (EDR) solutions. By isolating their malicious operations within the VM, the group effectively evades host-based security monitoring, allowing for persistent network access and covert command execution.
Bitdefender, in collaboration with the Georgian Computer Emergency Response Team (CERT), uncovered this campaign, which began in July after Curly COMrades gained remote access to victim machines and enabled Hyper-V while disabling its management interface. The group has previously targeted government and judicial bodies in Georgia and energy firms in Moldova, with this latest operation further demonstrating their use of legitimate virtualization technologies to facilitate espionage and maintain operational stealth. The VM's network traffic is routed through the host's stack using Hyper-V's internal networking, further complicating detection by standard security tools.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Following its investigation, Bitdefender released indicators of compromise and recommended monitoring for unusual Hyper-V activation, LSASS access, and suspicious GPO-delivered PowerShell activity. The guidance aimed to help defenders detect the VM-based tradecraft and related persistence mechanisms.
Bitdefender, working with the Georgian CERT, investigated the incidents and attributed the stealthy Hyper-V abuse to Curly COMrades. Their analysis detailed the malware, persistence methods, and VM-based evasion approach used in the espionage operation.
Inside the hidden Linux VM, the attackers ran the custom ELF implants CurlyShell and CurlCat to provide command execution, persistence, and covert tunneling or reverse-proxy access over HTTPS/SSH. The operation also used PowerShell-based persistence, Kerberos ticket injection into LSASS, and Group Policy to create local accounts across domains.
In the observed campaign, Curly COMrades enabled Hyper-V, disabled its management interface, and created a concealed Alpine Linux VM disguised as "WSL" on infected Windows machines. The VM used Hyper-V's Default Switch so malicious traffic blended with normal host network activity and evaded host-based EDR visibility.
The group compromised judicial and government bodies in Georgia as well as an energy company in Moldova. These intrusions formed the victim set later analyzed by Bitdefender and the Georgian CERT.
Bitdefender assessed Curly COMrades as a Russia-aligned espionage group active since mid-2024. Other reporting indicates the Hyper-V-focused targeting of Windows systems was observed from July 2025, showing the campaign was already underway before public disclosure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcesecurityonline.info
Open sourcesecurityaffairs.com
Open sourcescworld.com
Open sourcetherecord.media
Open sourcecsoonline.com
Open sourcetheregister.com
Open sourcego.theregister.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.