- Curly COMrades deployed Alpine Linux virtual machines on Windows hosts to hide reverse shell malware activity
- VM traffic tunneled through host IP, bypassing traditional EDR and hiding outbound communications
- Targets included Georgian and Moldovan institutions; operations align with Russian geopolitical interests
Russian hackers known as Curly COMrades have been seen hiding their malware in Linux-based virtual machines (VMs) deployed on Windows devices, experts have warned.
Bitdefender security researchers, after analyzing the latest activities in collaboration with the Georgian Computer Emergency Response Team (CERT), discovered that Curly COMrades started targeting its victims in July 2025, when they executed remote commands to activate the Microsoft-hyper-v virtualization feature and disable its management interface.
Then, they used this feature to download a lightweight Alpine Linux-based virtual machine containing several malware implants.
Russian attackers
The malware deployed in this campaign is called CurlyShell and CurlCat, both of which provide a reverse shell. The hackers also deployed PowerShell scripts that granted remote authentication and arbitrary command execution capabilities.
To hide the activity in plain sight, they configured the virtual machine to use the Default Switch NIC in Hyper-V. This way, all VM traffic passed through the host’s network stack using Hyper-V’s internal network.
“Indeed, all malicious outgoing communications appear to originate from the legitimate IP address of the host machine,” the researchers explained. “By isolating the malware and its execution environment within a VM, attackers effectively circumvented many traditional host-based EDR detections. »
The Curly COMrades were first spotted in 2024 and, although their activities correspond to the interests of the Russian Federation, no direct link has been found. In August 2025, Bitdefender reported that its victims included government and judicial organizations from Georgia, as well as energy companies from Moldova. The victims of this incident have not been named.
Bitdefender emphasized that there is no significant overlap with known Russian APT groups, but that Curly COMrades’ operations “align with the geopolitical objectives of the Russian Federation.”
Since Russia’s attention turned to Ukraine in 2014 with the annexation of Crimea, countries on its eastern border have lost center stage. Georgia, however, finds itself in a similar situation to Ukraine, with two regions declaring independence with the help of the Russian army: South Ossetia and Abkhazia. It would therefore make sense that Russian cyber spies would want to keep an eye on neighboring countries and their diplomatic efforts.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
