A classy risk actor referred to as Curly COMrades has deployed an modern assault methodology that leverages professional Home windows virtualization options to ascertain covert, long-term entry to sufferer networks.
The marketing campaign, which started in early July 2025, represents a major evolution in adversary ways as risk actors more and more search strategies to bypass endpoint detection and response options which have change into customary defensive instruments.
The operation facilities on the abuse of Hyper-V virtualization know-how on compromised Home windows 10 machines.
By enabling the Hyper-V position and deploying a minimalistic Alpine Linux-based digital machine, the attackers created a hidden operational setting that hosts customized malware whereas evading conventional host-based safety monitoring.
The digital machine, requiring solely 120MB of disk area and 256MB of reminiscence, gives a devoted platform for operating two customized implants: CurlyShell, a persistent reverse shell, and CurlCat, a reverse proxy device.
Bitdefender researchers recognized this superior marketing campaign by collaboration with the Georgian CERT, which detected a malicious pattern speaking with a compromised web site underneath monitoring.
The joint investigation revealed that Curly COMrades, first documented in August 2025 as a risk actor supporting Russian pursuits in geopolitical hotbeds, has considerably enhanced its toolkit and operational sophistication.
The forensic evaluation uncovered that attackers successfully remoted their malware execution setting inside a digital machine, bypassing many conventional safety detections by routing malicious visitors by the host’s community stack, making it seem to originate from professional IP addresses.
The assault demonstrates meticulous operational planning and technical experience. Menace actors established persistence by a number of mechanisms, together with PowerShell scripts configured through Group Coverage for native account creation and Kerberos ticket manipulation for lateral motion.
Assault circulate (Supply – Bitdefender)
The deployment of varied proxy and tunneling instruments reminiscent of Resocks, Rsockstun, Ligolo-ng, CCProxy, and Stunnel additional illustrates the group’s willpower to keep up versatile entry channels to compromised environments.
Digital Machine Deployment and Persistence Mechanism
The deployment sequence begins with enabling the Hyper-V virtualization characteristic whereas intentionally disabling its administration interface to cut back visibility. The attackers executed the next instructions remotely:
dism /on-line /disable-feature /FeatureName:microsoft-hyper-v-Administration-clients /norestart
dism /on-line /enable-feature /All /LimitAccess /FeatureName:microsoft-hyper-v /norestart
Following a quick interval, the risk actors initiated the payload supply section. A RAR archive disguised as a video file was downloaded and extracted to the misleading listing `c:programdatamicrosoftAppVapp`, a location designed to mix with professional Microsoft software virtualization recordsdata. The digital machine recordsdata have been then imported utilizing PowerShell:
powershell.exe -c import-vm -path “c:programdatamicrosoftAppVappDigital Machines1DBCC80B-5803-4AF1-8772-712C688F408A.vmcx” -Copy -GenerateNewId
powershell.exe -c Begin-VM -name WSL
The VM naming conference “WSL” serves as a deception tactic, suggesting using Home windows Subsystem for Linux, a generally trusted developer device that sometimes receives much less safety scrutiny. Nonetheless, it is a absolutely remoted Hyper-V occasion working outdoors the usual WSL framework.
Persistence inside the digital machine operates by a root-level crontab entry that executes each 4 hours at 20 minutes previous the hour.
The cron process runs `/bin/alpine_init`, which subsequently launches the CurlyShell implant positioned at `/bin/init_tools`.
This tradition reverse shell maintains HTTPS communication with the command and management infrastructure, whereas CurlCat manages SSH reverse proxy tunneling on demand.
The VM configuration makes use of Hyper-V’s Default Swap community adaptor with Community Deal with Translation, making certain all malicious outbound visitors seems to originate from the compromised host machine’s professional IP handle, considerably complicating attribution and detection efforts.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
