The Russia-linked group known as Curly COMrades has been active since late 2023, utilizing a highly advanced technique to gain and maintain covert access to victim networks. Their primary method involves abusing the Windows Hyper-V feature on targeted systems to create a minimalistic, stealthy execution environment. By enabling the Hyper-V role, the attackers deploy an Alpine Linux-based Virtual Machine that has an incredibly small footprint—just 120MB of disk space and 256MB of memory. This hidden VM serves as a secure, isolated container for their operations, effectively allowing them to host custom tools and bypass many traditional, host-based EDR (Endpoint Detection and Response) security solutions that monitor the Windows operating system directly.
Within these hidden Linux VMs, Curly COMrades deploys two custom malware families: CurlyShell and CurlCat. These implants, built as headless C++ ELF daemons based on libcurl, share a nearly identical codebase but differ in their ultimate function. They initiate communication with their command-and-control (C2) server using a custom, non-standard Base64 scheme and a unique session cookie within a PHP-style handshake. The implants use libcurl callbacks to receive encrypted C2 data via GET requests, process it, and send results via POST requests, operating within a continuous to_run() execution loop to maintain persistent contact with the threat actors.
The difference between the two tools lies in how they handle the data received from the C2 server. CurlyShell is designed to interpret the server’s encrypted response as shell commands, which it then executes directly on the system using popen() with a 30-second timeout, giving the attackers remote code execution capability. In contrast, CurlCat functions as a reverse proxy, simply forwarding the raw incoming data to an SSH process for relay. This distinction allows the group flexibility, utilizing CurlyShell for direct command execution and CurlCat for maintaining a robust, tunneled communication channel into the compromised network, often deploying multiple tunneling tools such as Ligolo-ng, Resocks, and Stunnel for redundancy.
Beyond the virtualization abuse, the threat actors demonstrated a sophisticated, layered intrusion strategy for persistent access. They extensively employed native PowerShell scripts to exploit Kerberos tickets, maintain persistence through the creation of local accounts, and use Group Policy objects for reliable access. This emphasis on abuse of native features and the encryption of payloads were key parts of the group’s overarching strategy to minimize forensic traces and maintain stealth throughout their operations. The entire operation’s tracing was significantly aided by the joint investigation conducted by Bitdefender researchers and Georgia’s CERT, which pinpointed the virtualization misuse and traced operations back through compromised proxy sites.
Given this highly evasive attack chain, security defenders should prioritize monitoring for anomalous activities indicative of the later stages of the attack, particularly abnormal LSASS access and the creation or injection of Kerberos tickets. Organizations should leverage advanced EDR or Extended Detection and Response (XDR) solutions to catch these credential-based attacks, which often happen after the initial VM deployment. For organizations with limited internal resources, employing a Managed Detection and Response (MDR) service is a critical consideration to ensure continuous, expert-level threat hunting against such sophisticated actors.
Reference:
