Virtual Walls: Curly COMrades Hides Attacks in Hyper-V VMs to Evade Detection

Threat actors affiliated with the group Curly COMrades have devised a method to conceal malicious activity from detection systems by leveraging Windows virtualization. Bitdefender’s investigation found that the attackers manually enable the Hyper-V role on compromised machines and spin up a lightweight Alpine Linux virtual machine to execute malicious code within an isolated enclave.

The VM created in this manner occupies only about 120 MB on disk and consumes a mere 256 MB of RAM. Within it, the adversaries deploy a reverse shell named CurlyShell and a proxy utility called CurlCat, enabling them to connect to the host and execute commands without interacting directly with the victim’s primary Windows environment. This tactic frustrates conventional detection tools that focus on native Windows processes.

Curly COMrades has been active since late 2023 and was previously linked to cyber operations against infrastructure in Georgia and Moldova. In August 2025, Bitdefender published an initial analysis describing the group’s techniques and toolset, including CurlCat for bidirectional data transfer, RuRat for remote access, Mimikatz for credential theft, and the modular .NET implant MucorAgent.

A follow-up investigation, conducted in cooperation with Georgia’s CERT, uncovered an updated arsenal. On infected Windows 10 hosts, analysts observed attempts to instantiate isolated virtual environments in which malicious activity continues unabated—an approach that preserves access even when core system components are updated or removed.

Among the tools observed are a PowerShell script for remote command execution and a previously undocumented Linux executable dubbed CurlyShell. This compact C++ program runs as a background daemon, establishing an encrypted channel to a command server, retrieving instructions via HTTP GET, and exfiltrating results with HTTP POST requests.

According to Bitdefender, CurlyShell and CurlCat share portions of their codebase but differ in how they handle received data: the former executes commands directly, while the latter proxies traffic over SSH, providing resilient and flexible communications. The adversaries further obfuscate their operations through proxies and tunnelling tools such as Resocks, Ligolo-ng, CCProxy, Stunnel, and others, striving to hide their traces and harden their foothold.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy