Curly COMrade – a Russian hacking group that's been active since 2024 and is aligned with Russian political movements – has been abusing the Microsoft Hyper-V within Windows to bypass detection by creating a virtual machine (VM) based on Alpine Linux to deploy malware.

The VM only uses 120MB of disk space and 256MB of memory, making it less detectable. Once the VM has been deployed, the malware uses the CurlyShell reverse shell and the CurlCat reverse proxy for stealth and communication.

According to Bitdefender, "By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR [endpoint detection and response] detections. EDR needs to be complemented by host-based network inspection to detect C2 traffic escaping the VM, and proactive hardening tools to restrict the initial abuse of native system binaries."

During that same investigation, Bitdefender discovered a PowerShell script that was created specifically for remote execution was employed to abuse Kerberos tickets to further expand the Curly toolkit.

Both CurlyShell and CurlyCat were written in C++ and built around the libcurl library.

As far as mitigation is concerned, Bitdefender suggests that organizations "must detect abnormal access to the LSASS process and suspicious Kerberos ticket creation or injection attempts, which occur outside the VM and are highly detectable." The report then suggests using "GravityZone EDR/XDR capabilities to detect malicious access to credential processes and mitigate memory-based attacks. For organizations operating with a lean security staff, adopting Managed Detection and Response (MDR) services offers an effective solution."