Security researchers have uncovered a new technique used by a threat group known as Curly COMrades. The attackers deployed lightweight Alpine Linux virtual machines on compromised Windows hosts and used them as a hidden environment to run their payloads. The analysis, conducted by Bitdefender together with the Georgian CERT, shows that this method has allowed the group to avoid most conventional endpoint detection.
Table of Contents
How the attackers built their hidden environment
Evidence shows that activity began in July 2025. The attackers remotely enabled Microsoft Hyper-V on target systems and then disabled its management interface to reduce visibility. Once the hypervisor was active, they downloaded an Alpine Linux VM containing several malware components.
Two custom tools were deployed inside the VM. The first, CurlyShell, provides a reverse shell, while the second, CurlCat, offers similar control capabilities. PowerShell scripts were executed on the host to grant remote authentication and allow arbitrary commands.
Why conventional detection tools missed the intrusion
Curly COMrades configured the VM to use Hyper-V’s Default Switch. This forced all network activity from the Linux guest to pass through the Windows host’s IP stack. From an external viewpoint, malicious traffic looked identical to normal outbound communication from the victim’s workstation.
Bitdefender explains that isolating the malware inside the VM allowed the attackers to bypass many forms of host-based EDR monitoring. The VM served as a self-contained execution layer that standard Windows detection agents could not inspect.
Links to regional geopolitical operations
Curly COMrades were first identified in 2024 and have been linked to operations that match Russian strategic interests, although researchers have not confirmed direct state control. Previous victims included government and judicial bodies in Georgia and energy organisations in Moldova.
These targets make sense in the broader regional landscape. Since Russia’s move into Crimea in 2014, international attention has focused on Ukraine. However, Georgia remains strategically sensitive due to its own disputed territories, South Ossetia and Abkhazia, where Russian military involvement continues. Maintaining visibility over political movements in neighbouring countries appears consistent with the threat group’s objectives.
Implications for defenders
This campaign shows how virtualisation can be used to hide intrusions on systems that appear clean on the surface. Traditional security tools rely on inspecting the host OS, yet the critical components in this case never touched the Windows filesystem directly. Defenders may need to review monitoring approaches for built-in hypervisors and virtual network interfaces to avoid similar blind spots.
