Curly COMrades’ Latest Toolset Installs Undetected Remote Access on Windows 10 Systems

A joint investigation by Bitdefender Labs and the Georgian CERT (CERT.OTA.GOV.GE) has revealed a sophisticated new campaign by the Curly COMrades threat actor, a group operating in support of Russian geopolitical interests.

The latest findings describe how the attackers leveraged Microsoft’s Hyper-V virtualization to create covert, fully isolated environments that allowed stealthy remote access and command execution on compromised Windows 10 hosts.

Instead of deploying traditional malware directly on the host, the attackers enabled the Hyper-V feature remotely and imported a lightweight Alpine Linux virtual machine specially crafted for stealth and persistence.

This VM, occupying just 120MB of disk space and 256MB of memory, served as an invisible operational base. Inside it, two custom implants named CurlyShell and CurlCat were discovered, both written in C++ and built using the libcurl library.

CurlyShell established a persistent HTTPS-based reverse shell, while CurlCat managed SSH tunneling, allowing attackers to pivot within victim networks unseen.

By isolating these tools within the VM, Curly COMrades bypassed endpoint detection and response (EDR) systems, which typically monitor host processes rather than virtualized environments.

CurlyShell and CurlCat: Custom Malware in a Virtual Cage

The decompiled binaries show near-identical codebases for both implants. CurlyShell executed attacker commands using a non-standard Base64 encoding scheme, while CurlCat relayed SSH data over HTTP to blend with legitimate web traffic.

Their minimalist design reduced forensic traces, demonstrating an evolved operational discipline. The VM’s network adapter, set to the Default Switch in Hyper-V, routed malicious traffic through the host’s network stack using internal NAT.

This ensured all C2 communications appeared to originate from the legitimate IP of the infected machine. Evidence within the VM custom DNS entries and domain mapping files confirmed domain-specific tailoring for each target environment.

Additional PowerShell scripts expanded the threat actor’s toolkit, including one abusing Kerberos tickets for remote authentication and another distributed via Group Policy to maintain persistence through local account creation and password resets.

Advanced Evasion Tactics and Industry Collaboration

The operation’s discovery stemmed from Georgian CERT analysts detecting CurlCat traffic linked to a compromised domestic website acting as a C2 relay.

Joint forensic analysis uncovered NGINX and iptables configurations that rerouted victim connections to external servers, confirming the group’s infrastructure setup and strong operational security.

Bitdefender emphasized that this campaign signals a growing trend: threat actors increasingly abusing legitimate virtualization frameworks to evade EDR and XDR detection.

Experts recommend adopting multilayered defenses such as network-level monitoring, attack surface reduction, and proactive hardening to detect traffic escaping from virtualized malware environments before it reaches its command‑and‑control endpoint.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Curly COMrades’ Latest Toolset Installs Undetected Remote Access on Windows 10 Systems appeared first on Cyber Security News.