Curly COMrades is a sophisticated threat actor group that has been observed weaponizing Windows Hyper-V virtualization technology to conceal malicious activities within a minimal Alpine Linux virtual machine (VM) deployed on compromised Windows 10 systems. By enabling the Hyper-V role on victim machines, the attackers create a hidden execution environment that hosts custom malware such as CurlyShell—a C++-based ELF binary providing a persistent reverse shell—and CurlCat, a reverse proxy tool. This VM-based approach allows the threat actors to isolate their malware from the host OS, effectively evading detection by traditional endpoint detection and response (EDR) solutions that monitor host-level processes and behaviors. The VM is lightweight, consuming only about 120MB of disk space and 256MB of memory, making it difficult to detect through resource monitoring. Communication with the command-and-control (C2) infrastructure is conducted via encrypted HTTP GET and POST requests, enabling the execution of encrypted commands and exfiltration of data. The group also employs a variety of proxy and tunneling tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods to maintain covert and resilient communication channels. Curly COMrades have been active since late 2023, with documented attacks primarily targeting Georgia and Moldova, aligning with Russian geopolitical interests. Their toolkit includes credential harvesting tools like Mimikatz, persistent remote access implants like RuRat, and modular .NET implants such as MucorAgent. The use of Hyper-V to host a Linux VM for malware execution represents a novel evasion technique that complicates detection and response efforts. This attack vector does not rely on known exploits but leverages legitimate Windows features, increasing its stealth and persistence. The threat actor’s ability to maintain a reverse proxy and continually introduce new tooling demonstrates a high level of operational sophistication and adaptability.

For European organizations, especially those in Eastern Europe and countries with significant geopolitical interest, this threat poses a substantial risk to confidentiality, integrity, and availability. The use of Hyper-V virtualization to hide malicious activity allows attackers to bypass host-based security controls, making detection and remediation more challenging. Sensitive data could be exfiltrated stealthily, and persistent remote access could enable long-term espionage or sabotage. Organizations relying on Windows 10 with Hyper-V enabled, particularly in sectors such as government, critical infrastructure, defense, and energy, are at heightened risk. The stealthy nature of the attack complicates incident response and forensic investigations, potentially allowing attackers to maintain footholds for extended periods. The modular and adaptable malware toolkit increases the likelihood of tailored attacks and lateral movement within networks. The threat also underscores the risk of legitimate system features being abused for malicious purposes, necessitating a reevaluation of virtualization usage policies and monitoring.

1. Implement strict controls and monitoring over the activation and use of Hyper-V roles on endpoints, limiting it only to authorized systems and users. 2. Deploy advanced behavioral analytics and network traffic inspection capable of detecting unusual VM creation, especially lightweight Linux VMs on Windows hosts. 3. Monitor for anomalous HTTP GET and POST traffic patterns indicative of encrypted command-and-control communications, particularly from unexpected processes or VMs. 4. Employ endpoint detection tools that can monitor virtualization layers and guest VMs, not just the host OS processes. 5. Conduct regular audits of installed Windows features and roles to identify unauthorized Hyper-V activation. 6. Harden PowerShell usage policies and monitor for suspicious scripts that could facilitate remote command execution. 7. Use network segmentation and strict proxy controls to limit unauthorized tunneling and proxying tools like Resocks, Ligolo-ng, and SSH tunnels. 8. Enhance credential protection measures to mitigate risks from tools like Mimikatz, including enforcing multi-factor authentication and privileged access management. 9. Collaborate with national CERTs and threat intelligence providers to stay updated on Curly COMrades’ tactics and indicators of compromise. 10. Educate security teams on the risks of virtualization-based evasion techniques and incorporate VM-level monitoring into security operations.