Russia-linked ‘Curly COMrades’ turn to malicious virtual machines for digital spy campaigns

Steven

Russia-linked ‘Curly COMrades’ turn to malicious virtual machines for digital spy campaigns

Summary

Researchers have uncovered a covert cyber-espionage campaign that hides lightweight malicious tooling inside virtual machines (VMs) running on Windows Hyper-V. Bitdefender attributes the operation to a Russia-aligned threat actor tracked as Curly COMrades. Active since at least 2024 and observed again from July, the group deployed an Alpine Linux VM occupying roughly 120MB to run two bespoke implants, CurlyShell and CurlCat, which provided remote control and data-stealing capabilities.

The use of nested VMs allowed the actors to evade common detection solutions that typically monitor only the host Windows environment. Georgian authorities assisted in the investigation and seized a compromised server, enabling researchers to map parts of the infrastructure. Curly COMrades favour public, open-source tools and stealthy, persistent access aimed at credential theft and long-term espionage across targets in Georgia, Moldova and other geopolitically sensitive states.

Key Points

  • Attackers abused Windows Hyper-V to run a small Alpine Linux VM (≈120MB) that hosted malicious implants.
  • Two custom tools, CurlyShell and CurlCat, were run inside the VM to control victims and exfiltrate data.
  • Hiding malware inside guest VMs helped the group evade host-focused security monitoring and detection tools.
  • Bitdefender links the activity to Curly COMrades, a group aligned with Russian interests and active since at least 2024.
  • Targets include government, judicial and critical infrastructure organisations in Georgia and Moldova, aligning with broader regional influence operations.
  • Investigators relied on cooperation with Georgia’s CERT and seized a compromised server to trace infrastructure.
  • The group prefers publicly available and open-source tools for stealth and persistence rather than zero-day exploits.

Context and relevance

The technique highlights an evolution in evasion tactics: using built-in virtualisation (Hyper-V) as a hiding place for implants. As defenders focus on host OS telemetry, adversaries increasingly leverage non-traditional execution environments that many security stacks do not inspect.

For organisations in Eastern Europe and entities handling sensitive political, judicial or energy-sector data, this pattern underscores an elevated risk from state-aligned APTs that aim for long-term credential harvesting and covert access rather than noisy disruption.

Author’s take

Punchy: This is a neat, low-noise trick by a persistent espionage group. If you run infrastructure, SOC or incident response, pay attention: VMs can be the hiding places you didn’t know you had to watch. The technical simplicity makes it all the more dangerous — little footprint, long residence.

Why should I read this

Because it’s clever and worrying — attackers are using your own Hyper-V feature to hide implants where your usual tools won’t look. Reading this saves you time: it flags a practical evasion method you need to account for if you care about protecting networks, credentials and sensitive regional operations.

Source

Source: https://therecord.media/virtual-machines-cyber-espionage-russia-linked-curly-comrades