Bitdefender has described a sophisticated campaign by the Curly COMrades threat actor that uses legitimate virtualisation features to create hidden, long-term access inside victim networks. The investigation, carried out with assistance from the Georgian National CERT, found lightweight Hyper-V virtual machines hosting custom malware and tunnelling tools that help the attackers evade standard endpoint defences.
Hyper-V used as a host-isolated operational base
The intrusions began with the enabling of the Microsoft Hyper-V role on selected Windows hosts and the silent import of a preconfigured virtual machine. The deployed VM ran Alpine Linux and was deliberately small, occupying about 120MB of disk space and using only 256MB of memory. The attackers registered and started the VM through PowerShell commands such as Import-VM and Start-VM. Command execution was often wrapped in cmd.exe /C calls with redirected output to temporary files, and common system utilities were used to stage the payloads.
By running the custom implants inside a Hyper-V instance, the adversary created a fully isolated environment separated from the host operating system. The VM was attached to Hyper-V’s Default Switch so that its outbound traffic was NATed through the host. That meant malicious network traffic appeared to originate from the legitimate host IP address, reducing the chances of detection by host-level security tools. The VM’s filesystem showed bespoke domain-to-IP mappings and private DNS entries, confirming that each environment was tailored to communicate with the attacker’s command and control infrastructure.
Custom implants, proxies and persistence mechanisms
Within the VM, investigators found two closely related custom implants. CurlyShell is a persistent reverse shell that uses HTTPS for command and control. It establishes a session using a non-standard Base64 alphabet and expects a precise response from the C2 server before launching its core logic. CurlCat is a companion tool that acts as a reverse proxy and tunnelling agent. Both binaries are ELF executables written in C++ and built around libcurl. CurlyShell executes commands received from the C2 and uses a cron job for persistence, while CurlCat wraps SSH traffic into HTTP payloads and is invoked on demand to provide proxy access.
The attackers also deployed a broad set of proxy and tunnelling utilities across affected environments, including Resocks, Rsockstun, Ligolo-ng, CCProxy and SSH-based methods. This layered approach helped maintain connectivity even when individual tools were disrupted.
Outside the VM, the campaign made use of PowerShell scripts for additional capabilities. One script implemented a customised Kerberos ticket injector that loads encrypted C# code into memory to manipulate tickets inside the LSASS process. That capability supported lateral movement and remote command execution by authenticating to remote systems through SMB. Other scripts, distributed via Group Policy, created or reset local accounts as a persistence mechanism. One variant repeatedly reset the password of an account named camera to remain resilient to remediation efforts.
Investigators noted operational details such as the use of an SSH private key stored under /root/.ssh that authenticated as user bob, and a SOCKS proxy listening on port 20155 that CurlCat used as a ProxyCommand. Forensic work on a seized compromised server revealed iptables rules redirecting traffic on port 443 to the attacker infrastructure at 88.198.91[.]116 on port 22, and a manually started sshd instance on port 31637. The analysis also confirmed that libcurl options in the malware disabled TLS certificate verification, enabling the use of arbitrary certificates on the compromised relay.
International cooperation and practical recommendations
The detailed mapping of the campaign owed much to rapid collaboration with the Georgian CERT, which detected a CurlCat sample communicating with a compromised Georgian site and shared forensic findings after seizing the host. That partnership allowed analysts to reconstruct how the attackers used the compromised site as a proxy and how tunnelling was implemented on the server.
Bitdefender’s analysis highlights a wider trend in which threat actors increasingly exploit benign platform features to avoid detection as endpoint detection and response tools become commodity. To mitigate such threats, organisations should adopt a defence-in-depth approach. Network inspection on the host remains crucial because VM-hosted implants must still route traffic through the host network stack. Controls such as network content identification and host-based inspection can reveal unusual tunnelling and executable transfers. Organisations should also monitor for suspicious access to credential processes and anomalous Kerberos ticket usage. Proactive hardening measures that restrict the abuse of native system tools and managed detection and response services can reduce the attack surface and improve the chance of early detection.
