- Curly COMrades deployed Alpine Linux VMs on Windows hosts to hide reverse-shell malware activity
- VM traffic tunneled via host IP bypassing traditional EDR and masking outgoing communications
- The targets included Georgian and Moldovan institutions; operations are aligned with Russian geopolitical interests
Russian hackers known as Curly COMrades have been seen hiding their malware in Linux-based virtual machines (VM) installed on Windows devices, experts have warned.
Security researchers from Bitdefender, after analyzing recent activities together with the Georgian Computer Emergency Response Team (CERT), found that Curly COMrades only started targeting their victims in July 2025, when they ran remote commands to enable the microsoft-hyper-v virtualization feature and disable its management interface.
They then used the feature to download a lightweight Alpine Linux-based VM containing several malware implants.
Russian invaders
The malware deployed in this campaign is called CurlyShell and CurlCat, both of which provide a reverse shell. The hackers also deployed PowerShell scripts that provided remote authentication and arbitrary command execution capabilities.
To hide the activity in general, they configured the VM to use the default switch network adapter in Hyper-V. That way, all of the VM’s traffic went through the host’s network stack using Hyper-V’s internal network.
“In effect, all malicious outgoing communication appears to originate from the legitimate host machine’s IP address,” the researchers explained. “By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections.”
Curled Buddies were first seen in 2024, and while their activities align with the interests of the Russian Federation, no direct connection was found. In August 2025, Bitdefender reported that their victims included government and judicial organizations in Georgia and energy companies in Moldova. The victims in this incident were not named.
Bitdefender emphasized that there are no strong overlaps with known Russian APT groups, but Curly COMrades’ operations “align with the geopolitical goals of the Russian Federation.”
Ever since Russia’s attention turned to Ukraine in 2014 with the annexation of Crimea, the countries on its eastern border have lost the spotlight. However, Georgia is in a similar position to Ukraine, with two regions declaring independence with the help of the Russian military – South Ossetia and Abkhazia. Therefore, it would make sense that Russia’s cyber spies would want to keep an eye on neighboring countries and their diplomatic efforts.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
