The risk actor often called Curly COMrades has been noticed exploiting virtualization applied sciences as a solution to bypass safety options and execute customized malware.
Based on a brand new report from Bitdefender, the adversary is alleged to have enabled the Hyper-V position on chosen sufferer techniques to deploy a minimalistic, Alpine Linux-based digital machine.
“This hidden setting, with its light-weight footprint (solely 120MB disk house and 256MB reminiscence), hosted their customized reverse shell, CurlyShell, and a reverse proxy, CurlCat,” safety researcher Victor Vrabie, together with Adrian Schipor and Martin Zugec, mentioned in a technical report.
Curly COMrades was first documented by the Romanian cybersecurity vendor in August 2025 in reference to a collection of assaults concentrating on Georgia and Moldova. The exercise cluster is assessed to be energetic since late 2023, working with pursuits which might be aligned with Russia.
These assaults had been discovered to deploy instruments like CurlCat for bidirectional information switch, RuRat for persistent distant entry, Mimikatz for credential harvesting, and a modular .NET implant dubbed MucorAgent, with early iterations courting again all the best way to November 2023.
In a follow-up evaluation carried out in collaboration with Georgia CERT, further tooling related to the risk actor has been recognized, alongside makes an attempt to determine long-term entry by weaponizing Hyper-V on compromised Home windows 10 hosts to arrange a hidden distant working setting.
“By isolating the malware and its execution setting inside a VM, the attackers successfully bypassed many conventional host-based EDR detections,” the researchers mentioned. “The risk actor demonstrated a transparent willpower to take care of a reverse proxy functionality, repeatedly introducing new tooling into the setting.”
Moreover utilizing Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based strategies for proxy and tunneling, Curly COMrades has employed varied different instruments, together with a PowerShell script designed for distant command execution and CurlyShell, a beforehand undocumented ELF binary deployed within the digital machine that gives a persistent reverse shell.
Written in C++, the malware is executed as a headless background daemon to hook up with a command-and-control (C2) server and launch a reverse shell, permitting the risk actors to run encrypted instructions. Communication is achieved by way of HTTP GET requests to ballot the server for brand spanking new instructions and utilizing HTTP POST requests to transmit the outcomes of the command execution again to the server.
“Two customized malware households – CurlyShell and CurlCat – had been on the heart of this exercise, sharing a largely similar code base however diverging in how they dealt with acquired information: CurlyShell executed instructions instantly, whereas CurlCat funneled site visitors by SSH,” Bitdefender mentioned. “These instruments had been deployed and operated to make sure versatile management and adaptableness.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s tendencies at present: learn extra, subscribe to our e-newsletter, and turn out to be a part of the NextTech neighborhood at NextTech-news.com
