The cybersecurity landscape is currently facing a significant threat from a group known as Curly COMrades. This adversary has been actively exploiting virtualization technologies, specifically targeting Windows Hyper-V, to evade endpoint detection and response (EDR) systems. A newly released report from Bitdefender highlights this malicious activity.
Overview of the Attack
Curly COMrades has made headlines for their innovative approach to malware deployment. They leverage Hyper-V on compromised systems to create a minimalistic virtual machine running Alpine Linux. This light environment, requiring only 120MB disk space and 256MB memory, hosts their custom malware tools: CurlyShell and CurlCat.
Background and Timeline
This group first emerged in August 2025, aiming their attacks primarily at Georgia and Moldova. Their operations date back to late 2023 and are believed to align with Russian interests. Early iterations of the tools they use can be traced back to November 2023.
Malware Functionality and Tools
Curly COMrades has developed several tools to facilitate their operations:
- CurlyShell: A persistent reverse shell managed from the virtual machine.
- CurlCat: A reverse proxy for bidirectional data transfer.
- RuRat: Malware for persistent remote access.
- Mimikatz: A tool used for credential harvesting.
- MucorAgent: A modular .NET implant.
These tools allow attackers to maintain a robust operational environment by introducing new techniques for communication and control. The use of Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH methods enhances their proxy and tunneling capabilities.
Bypassing Detection Mechanisms
By executing their malware in a virtual machine, Curly COMrades effectively eludes many traditional host-based EDR detections. The hidden nature of this setup allows them to establish a long-term foothold in targeted networks.
Communication Methodology
CurlyShell, developed in C++, functions as a headless daemon connecting to a command-and-control (C2) server. It employs HTTP GET and POST requests to receive and return command execution data.
Implications for Cybersecurity
The operations of Curly COMrades underscore the importance of robust cybersecurity measures. Organizations must remain vigilant against such advanced tactics that exploit virtualization technologies for malicious purposes.
As the threat landscape continues to evolve, understanding these dynamics will be critical for developing stronger defenses against sophisticated attacks.
