- Curly COMrades deployed Alpine Linux VMs on Home windows hosts to cover reverse-shell malware exercise
- VM visitors tunneled by way of host IP, bypassing conventional EDR and masking outbound communications
- Targets included Georgian and Moldovan establishments; operations align with Russian geopolitical pursuits
Russian hackers often known as Curly COMrades have been seen hiding their malware in Linux-based digital machines (VM) deployed on Home windows units, specialists have warned.
Safety researchers from Bitdefender after analyzing the most recent actions along with the Georgian Laptop Emergency Response Staff (CERT), discovered Curly COMrades first began concentrating on their victims in July 2025, once they ran distant instructions to allow the microsoft-hyper-v virtualization function and disable its administration interface.
Then, they used the function to obtain a light-weight Alpine Linux-based VM containing a number of malware implants.
Russian attackers
The malware deployed on this marketing campaign is known as CurlyShell and CurlCat, each of which give a reverse shell. The hackers additionally deployed PowerShell scripts which granted distant authentication and arbitrary command execution capabilities.
To cover the exercise in plain sight, they configured the VM to make use of the Default Swap community adapter in Hyper-V. That method, all the VM’s visitors went via the host’s community stack utilizing Hyper-V’s inner community.
“In impact, all malicious outbound communication seems to originate from the reliable host machine’s IP tackle,” the researchers defined. “By isolating the malware and its execution surroundings inside a VM, the attackers successfully bypassed many conventional host-based EDR detections.”
Curly COMrades had been first noticed in 2024 and whereas their actions align with the pursuits of the Russian Federation, a direct hyperlink was not discovered. In August 2025, Bitdefender reported that their victims included authorities and judicial organizations in Georgia, and vitality corporations in Moldova. The victims on this incident weren’t named.
Bitdefender confused that there are not any robust overlaps with identified Russian APT teams, however Curly COMrades’ operations “align with the geopolitical objectives of the Russian Federation.”
Ever since Russia’s consideration turned in direction of Ukraine in 2014 with the annexation of Crimea, nations on its jap border have misplaced the highlight. Georgia, nonetheless, is in an analogous place to Ukraine, with two areas declaring independence with the assistance of the Russian navy – South Ossetia, and Abkhazia. Subsequently, it could make sense that Russia’s cyberspies want to maintain tabs on neighboring nations and their diplomatic efforts.
Through The Register
The perfect antivirus for all budgets
Comply with TechRadar on Google Information and add us as a most popular supply to get our knowledgeable information, critiques, and opinion in your feeds. Make sure that to click on the Comply with button!
And naturally it’s also possible to comply with TechRadar on TikTok for information, critiques, unboxings in video kind, and get common updates from us on WhatsApp too.
