Alleged Russia-linked Curly COMrades exploit Windows Hyper-V to evade EDRs

Curly COMrades threat actors exploit Windows Hyper-V to hide Linux VMs, evade EDR tools, and deploy custom malware undetected.

Bitdefender researchers, aided by Georgia’s CERT, uncovered that Curly COMrades, a group linked to Russian interests, abused Windows Hyper-V to gain covert, long-term access to victims. Threat actors created hidden Alpine Linux VMs (120MB/256MB) hosting custom tools like CurlyShell and CurlCat to evade EDRs. The joint probe revealed advanced virtualization misuse and traced operations via compromised proxy sites.

“The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat.” reads the report published by Bitdefender. “By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections.” 

According to the researchers, Curly COMrades has been active since at least late 2023.

Curly COMrades persistently maintained reverse proxy access, deploying multiple tunneling tools like Resocks, Ligolo-ng, and Stunnel. Investigators also found PowerShell scripts exploiting Kerberos tickets and using Group Policy to maintain persistence through local account creation, showcasing a flexible, layered intrusion strategy.

The attackers finally deployed CurlyShell and CurlCat C++ ELF implants (libcurl-based) inside hidden Hyper-V Linux VMs. Both run headless as background daemons, initialize a custom non-standard Base64 scheme and generate a unique Base64-encoded session cookie used in a PHP-style C2 handshake.

The implants use libcurl callbacks to receive encrypted C2 data, poll with GET and send results with POST, and launch core logic in a to_run() loop. The implants differ in payload handling: CurlyShell interprets server responses as shell commands (executed via popen() with a 30s timeout), while CurlCat simply forwards raw data to an SSH process for relay.

“Two custom malware families — CurlyShell and CurlCat — were at the center of this activity, sharing a largely identical code base but diverging in how they handled received data: CurlyShell executed commands directly, while CurlCat funneled traffic through SSH.” continues the report.

The Curly COMrades group emphasized stealth by encrypting payloads, abusing native PowerShell, and minimizing forensic traces. Defenders should monitor for abnormal LSASS access and Kerberos ticket creation/injection, use EDR/XDR (or GravityZone features) to catch credential-based attacks, and consider MDR if staff are limited

“The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR  solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation.” concludes the report. “To counter this, organizations must move beyond relying on a single security layer and implement defense-in-depth, multilayered security. It is critical to start designing the entire environment to be hostile to attackers. This means using solutions that restrict an adversary’s operational space, such as Proactive Hardening and Attack Surface Reduction (PHASR), which prevents the abuse of native system tools and forces attackers to take riskier, more detectable actions, thereby raising the operational cost of the attack and securing the environment at every layer.” “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, EDR)