Bitdefender and Georgian CERT uncovered a sophisticated cyber-espionage campaign by the Russian-aligned group Curly COMrades, using Microsoft Hyper-V virtualization to evade detection. They deployed stealthy virtual machines hosting custom malware families like CurlyShell and CurlCat to establish persistent, covert access to targeted networks in Eastern Europe and the Caucasus. #CurlyCOMrades #HyperV #CyberEspionage
Keypoints
- The campaign targets organizations in Eastern Europe and the Caucasus, starting in July 2025.
- They exploit Hyper-V virtualization to run covert virtual machines for malicious purposes.
- The attackers use lightweight Alpine Linux VMs named “WSL” to hide their command-and-control infrastructure.
- Custom malware CurlyShell and CurlCat facilitate remote control and network tunneling within these virtual environments.
- Advanced persistence techniques include PowerShell scripts manipulating Kerberos tickets and local user accounts.