Security researchers from Bitdefender, working with the Georgian Computer Emergency Response Team, reported that a group tracked as Curly COMrades used Microsoft Hyper-V on compromised Windows hosts to run a hidden Alpine Linux virtual machine, allowing malware to operate outside typical endpoint detection. Bitdefender senior security researcher Victor Vrabie said the environment was designed to evade host-based protections.
The lightweight virtual machine consumed about 120MB of disk space and 256MB of memory and hosted two custom implants. Bitdefender said the implants, CurlyShell and CurlCat, are written largely in C++ and use the libcurl library; the company has been tracking Curly COMrades since 2024 and documented earlier attacks against Georgian judicial and government bodies and an energy firm in Moldova.
According to Bitdefender’s analysis, the attackers remotely enabled the microsoft-hyper-v feature on two machines and disabled the management interface before downloading the Alpine image. They configured the VM to use Hyper-V’s Default Switch so outbound traffic from the VM flowed through the host network stack, making malicious connections appear to come from the legitimate host IP.
CurlyShell provided a reverse shell and used a cron job for root-level persistence, connecting to command-and-control servers over HTTPS, while CurlCat managed an SSH reverse proxy tunnel and wrapped SSH traffic in standard HTTP payloads to blend with normal web traffic, Bitdefender reported. In the observed campaign, the operators used a Georgian website for command and control.
Researchers also found two types of PowerShell scripts associated with the operation: one that injects a Kerberos ticket into LSASS to enable remote authentication and command execution, and another deployed via Group Policy that creates a local account on domain-joined machines for persistent access. Bitdefender said the campaign began in July but has not publicly identified victims.
Bitdefender urged defenders to adopt layered, defense-in-depth strategies rather than relying solely on endpoint detections, and published a list of indicators of compromise on its public repository to aid investigation and remediation. The company noted it attributes the group’s activity to interests aligned with Russian geopolitical objectives but has not explicitly tied the group to the Russian government.