A sophisticated threat actor known as Curly COMrades has deployed an innovative attack methodology that leverages legitimate Windows virtualization features to establish covert, long-term access to victim networks.
The campaign, which began in early July 2025, represents a significant evolution in adversary tactics as threat actors increasingly seek methods to bypass endpoint detection and response solutions that have become standard defensive tools.
The operation centers on the abuse of Hyper-V virtualization technology on compromised Windows 10 machines.
By enabling the Hyper-V role and deploying a minimalistic Alpine Linux-based virtual machine, the attackers created a hidden operational environment that hosts custom malware while evading traditional host-based security monitoring.
The virtual machine, requiring only 120MB of disk space and 256MB of memory, provides a dedicated platform for running two custom implants: CurlyShell, a persistent reverse shell, and CurlCat, a reverse proxy tool.
Bitdefender researchers identified this advanced campaign through collaboration with the Georgian CERT, which detected a malicious sample communicating with a compromised site under monitoring.
The joint investigation revealed that Curly COMrades, first documented in August 2025 as a threat actor supporting Russian interests in geopolitical hotbeds, has significantly enhanced its toolkit and operational sophistication.
The forensic analysis uncovered that attackers effectively isolated their malware execution environment within a virtual machine, bypassing many traditional security detections by routing malicious traffic through the host’s network stack, making it appear to originate from legitimate IP addresses.
The attack demonstrates meticulous operational planning and technical expertise. Threat actors established persistence through multiple mechanisms, including PowerShell scripts configured via Group Policy for local account creation and Kerberos ticket manipulation for lateral movement.
.webp "Curly COMrades Hacker Group Using New Tools to Create Hidden Remote Access on Compromised Windows 10 3")
The deployment of various proxy and tunneling tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, and Stunnel further illustrates the group’s determination to maintain flexible access channels to compromised environments.
Virtual Machine Deployment and Persistence Mechanism
The deployment sequence begins with enabling the Hyper-V virtualization feature while deliberately disabling its management interface to reduce visibility. The attackers executed the following commands remotely:
dism /online /disable-feature /FeatureName:microsoft-hyper-v-Management-clients /norestart
dism /online /enable-feature /All /LimitAccess /FeatureName:microsoft-hyper-v /norestartFollowing a brief interval, the threat actors initiated the payload delivery phase. A RAR archive disguised as a video file was downloaded and extracted to the deceptive directory `c:programdatamicrosoftAppVapp`, a location designed to blend with legitimate Microsoft application virtualization files. The virtual machine files were then imported using PowerShell:
powershell.exe -c import-vm -path "c:\programdata\microsoft\AppV\app\Virtual Machines\1DBCC80B-5803-4AF1-8772-712C688F408A.vmcx" -Copy -GenerateNewId
powershell.exe -c Start-VM -name WSLThe VM naming convention “WSL” serves as a deception tactic, suggesting the use of Windows Subsystem for Linux, a commonly trusted developer tool that typically receives less security scrutiny. However, this is a fully isolated Hyper-V instance operating outside the standard WSL framework.
Persistence within the virtual machine operates through a root-level crontab entry that executes every four hours at 20 minutes past the hour.
The cron task runs `/bin/alpine_init`, which subsequently launches the CurlyShell implant located at `/bin/init_tools`.
This custom reverse shell maintains HTTPS communication with the command and control infrastructure, while CurlCat manages SSH reverse proxy tunneling on demand.
The VM configuration utilizes Hyper-V’s Default Switch network adaptor with Network Address Translation, ensuring all malicious outbound traffic appears to originate from the compromised host machine’s legitimate IP address, significantly complicating attribution and detection efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
